Jason Stitt - Fotolia
A new variant of ransomware is using the .vault extension to give the appearance that it's already been quarantined by an antimalware program. While worrisome, I've heard it isn't advanced. How does this malware work, and what threat does it pose?
While the new CrypVault malware is not overly sophisticated, it demonstrates how an attacker with modest resources can create an effective ransomware attack. It uses scripts and command-line utilities to assemble the entire attack. It also uses batch scripts to edit the registry and pull all the steps together: GNUGpg for the file encryption and Sdelete to securely delete the config files. The files encrypted with GNUGpg are saved with a .vault extension to further hide the files.
Renaming a file extension helps a ransomware attack bypass simple blacklists and makes it more difficult for users to understand what happened to the files, but is not a sufficient tactic to use to bypass current antimalware tools. If a security tool your enterprise relies on misses an infection because the malware file names do not match, you should quickly find a better tool to use.
The threat CrypVault poses to enterprises is the same as any other malware; it can execute on an endpoint and destroy files or cause other havoc. It also specifically seems to target Russian users, which limits the population the ransomware can successfully extort.
Enterprises should have standard antimalware security controls in place to prevent and defend against malware like CrypVault, and should also ensure steps are taken to protect from other ransomware attacks, such as keeping good backups at all times.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Stay secure from ransomware
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.