GetCrypt Ransomware: Modus Operandi and Solutions

GetCrypt Ransomware: Modus Operandi and Solutions

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit. It’s being installed via “Malvertising” campaigns.

Securoty researchers found it while it was being installed by way of a RIG exploit kit in the “Popcash malvertising" campaigns. First the victim is redirected to a page hosting the exploit kit, and then the malicious scripts on it would try to exploit vulnerabilities on the device. If all goes well it will download and install GetCrypt into Windows. How GetCrypt Works
Reportedly, when the exploit kit executes the ransomware, GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or Belarusian. If so the ransomware immediately terminates and no encryption happens. If not, the ransomware examines the CPUID of the computer. The Id is used to create a 4 character string which is used as an extension for encrypted files. The four character extension that was created is appended while the files are encrypted. The files’ names are changed after they are encrypted Later on the Shadow Volume Copies are cleared by running the vssadmin.exedeleteshadows/all/quiet command. Then, the ransomware starts to scan the computer for the files to encrypt. No particular files types are targeted, except for files located under the following folders:
·       :$Recycle.Bin
·       :ProgramData
·       :UsersAll Users
·       :Program Files
·       :Local Settings
·       :Windows
·       :Boot
·       :System Volume Information
·       :Recovery
·       AppData According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions. GetCrypt also creates a ransom note in each folder while it encrypts the files, named #decrypt my files#.txt The aforementioned ransom note commands the victim to contact [email protected] for payment instructions. GetCrypt ..