GetCrypt Ransomware: Modus Operandi and Solutions

GetCrypt Ransomware: Modus Operandi and Solutions
A new ransomware is in the dark market which encrypts all
the files on the device and redirects victims to the RIG exploit kit. It’s
being installed via “Malvertising” campaigns.

Securoty researchers found it while it was being installed
by way of a RIG exploit kit in the “Popcash malvertising” campaigns.
First the victim is redirected to a page hosting the exploit
kit, and then the malicious scripts on it would try to exploit vulnerabilities
on the device.
If all goes well it will download and install GetCrypt into
Windows.
Reportedly, when the exploit kit executes the ransomware,
GetCrypt checks if the Windows language is set to Russian, Ukranian, Kazakh or
Belarusian.
If so the ransomware immediately terminates and no
encryption happens. If not, the ransomware examines the CPUID of the computer.
The Id is used to create a 4 character string which is used
as an extension for encrypted files.
The four character extension that was created is appended while
the files are encrypted. The files’ names are changed after they are encrypted
Later on the Shadow Volume Copies are cleared by running the
vssadmin.exedeleteshadows/all/quiet command.
Then, the ransomware starts to scan the computer for the
files to encrypt. No particular files types are targeted, except for files located
under the following folders:
·       :$Recycle.Bin
·       :ProgramData
·       :UsersAll
Users
·       :Program
Files
·       :Local
Settings
·       :System
Volume Information
·       :Recovery
According to the sources, GetCrypt makes use of the Salsa20 and RSA-4096 algorithms for encryptions.
GetCrypt also creates a ransom
note
in each folder while it
encrypts the files, named #decrypt my files#.txt
The aforementioned ransom note commands the victim to
contact [email protected] for payment
instructions.
GetCrypt would also change the victim’s desktop background
to an image with the ransom note written all over it which is stored at
%LocalAppData%Tempdesk.bmp
In addition to all the other things GetCrypt does, it will
also try to encrypt files on network shares. When encrypting, it would also
attempt to brute force the network account credentials.
It would use an embedded list of usernames and passwords to
connect to the network shares using the WNetEnumResourceW
function.
It could also try to brute force the credentials and mount
them using the WNetAddConnection2W
function.
All you need to get your files decrypted for free is an
unencrypted copy of your encrypted file.
Simply download the decrypt_GetCrypt.exe
program from the following link and save it on your desktop:
Once downloaded, run the decryptor and select an encrypted
file you wish to decrypt and its unencrypted version.
Click on the start button. The decyptor will now brute force
your decryption key and VOILA! Your files will get decrypted.

Share this with Your friends:

Leave a Reply

Your email address will not be published. Required fields are marked *