Vcrypt ransomware brings a friend to do the encryption, Naked Security.
Here’s a ransom story with a difference.
The example we looked at in this article is detected by Sophos products such as Troj/Ransom-FXO, but you will also hear that it is called Vcrypt in honor of the file extension used by the malware.
Of course, none of these nicknames describes themselves as they do – they call themselves video_driver.exe, which sounds harmless and claims to be such a video driver:
The bad news is that whoever wrote this malware decided it was doubly destructive: Encrypt files on C drive: with the secret decryption key, but delete files from all other drives, scan all letters from A: to Z: except C:, give commands to delete all files and folders it can find.
The good news is that the Ransom FXO programmer didn’t worry much about the encryption and used a tightly encrypted cryptographic key that can be easily extracted from a malicious file.
Actually, this is good news, because there’s no way to cash in a secret key.
It is unusual that the perpetrator of this attack didn’t use Tor or the black web to set up a shopping site where you could see how much it would cost and where to send the Bitcoins.
…they used a regular free hosting website, which has now removed the offensive content, so you couldn’t agree on a password even if you wanted to.