{"id":18199,"date":"2015-12-22T15:33:01","date_gmt":"2015-12-22T22:33:01","guid":{"rendered":"https://www.webroot.com/blog/?p=18199"},"modified":"2018-01-30T12:37:27","modified_gmt":"2018-01-30T19:37:27","slug":"vaultcrypt-on-rampage-in-russia-and-eastern-europe","status":"publish","type":"post","link":"https://www.webroot.com/blog/2015\/12\/22\/vaultcrypt-on-rampage-in-russia-and-eastern-europe\/","title":{"rendered":"Russians are not immune to Encrypting Ransomware"},"content":{"rendered":"<p>CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That&#8217;s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn&#8217;t that much of a surprise since we&#8217;ve always known these guys were Russian (at least the spam servers) and target mainly the US and Europe. But everyone is susceptible to encrypting ransomware so here&#8217;s a look at a recent encrypting ransomware what\u00a0will target Russians.<\/p>\n<p>While this encrypting ransomware may look a little different, it&#8217;s pretty much the same as the rest; encrypt your files from a phishing email and hold them ransom for\u00a0bitcoin payment via tor browser. The encryption routine is done using GPG Tool which is an open source encryption tool and appends the file extension to &#8220;.vault&#8221;<\/p>\n<p>Once you enter the Onion link into a tor browser you&#8217;ll be presented with the following\u00a0pages<\/p>\n<div style=\"width: 1000px\" class=\"wp-caption alignnone\"><img decoding=\"async\" loading=\"lazy\" class=\"\" src=\"http:\/\/i.imgur.com\/0GkERzg.png?1\" alt=\"\" width=\"990\" height=\"608\" \/><p class=\"wp-caption-text\">The bitcoin currency is continuing its climb<\/p><\/div>\n<div style=\"width: 812px\" class=\"wp-caption alignnone\"><img decoding=\"async\" loading=\"lazy\" class=\"\" src=\"http:\/\/i.imgur.com\/Sezcszk.png?6\" alt=\"\" width=\"802\" height=\"612\" \/><p class=\"wp-caption-text\">This is the payment portal &#8211; The victim is subject to a price increase after 4 days.<\/p><\/div>\n<div style=\"width: 829px\" class=\"wp-caption alignnone\"><img decoding=\"async\" loading=\"lazy\" class=\"\" src=\"http:\/\/i.imgur.com\/u2abdal.png?1\" alt=\"\" width=\"819\" height=\"609\" \/><p class=\"wp-caption-text\">This variant also introduces the &#8220;freebie&#8221; structure where it allows you 4 free file decrypts. This is so you know what the decryption routine is like and know that you&#8217;ll get your files back if you do pay the ransom.<\/p><\/div>\n<p>Once you&#8217;ve paid for the ransom you have access to download the decryption tool from the portal.<\/p>\n<p><strong>MD5 Analyzed:<\/strong><\/p>\n<p>87c6023bf8922d84927247c15621a02e<\/p>\n<p>Webroot will catch this specific variant in real time before any encryption takes place. We\u2019re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our <a href=\"https:\/\/community.webroot.com\/t5\/Webroot-Education\/Best-practices-for-securing-your-environment-against\/ta-p\/191172\">community post<\/a> on best practices for securing your environment against encrypting ransomware.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That&#8217;s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn&#8217;t that much of a surprise since we&#8217;ve [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":18213,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[14215,5443,5435,8787,3483,19299,4487,8223,5423,3937,4157,4145,4533,19297,3529,3471,5439,4201,3525,4369],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18199"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=18199"}],"version-history":[{"count":7,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18199\/revisions"}],"predecessor-version":[{"id":18215,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/18199\/revisions\/18215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/18213"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=18199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=18199"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=18199"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=18199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}