LTS Secure Warning: MalSpam & Malvertising Campaign Being Used As A Vector To Spread GetCrypt Ransomware
GetCrypt Ransomware was first detected in May of 2019 & functions as every other ransomware. The only difference is that it appends the encrypted files with two extensions:-
- .vip
- A random 4-character extension, which is unique for every victim.
Technical Details
The Ransomware makes use of campaigns like MalSpam & Malvertising to redirected users to a site which are hosting the RIG exploit kit, which used to identify & exploit vulnerabilities found on the user’s device. Upon Successful exploitation, the next phase kicks in, which is to download the GetCrypt ransomware on the device. Before doing this, there is a check being performed to see the User language & if it falls in the following list then the process is terminated:-
- Belarusian
- Kazakh
- Russian
- Ukrainian
If no match is found, then it starts with its infection process which is as follows:-
- Clears all volume shadow copies to prevent any possible recovery chances.
- It then locates pictures, music, databases, documents, etc and starts encrypting them using RSA – 4096 & Salsa20 algorithm.
- Ransom note is then dropped with the procedure that must be followed by the victim to get his/her files decrypted.
Impact
- Downtime in Business Critical operations.
- Damage of hostage systems, data, and files.
- Operational and financial loss to the Business/Individual.
Recommended Actions
- Avoid Opening emails & attachments from unknown senders.
- Do not open any advertisement pages shown on websites without knowing that they are genuine.
- Take system back-ups on regular intervals.
- Ensure that your devices are always up-to-date with the latest patches released.
- Regularly update your antivirus software & perform malware scans to protect against unknown threats.