Tales from the Crypt
October 29th, 2009
Symantec Security Response has become aware of a Trojan Horse we detect as Trojan.Ramvicrype. The Trojan uses the RC4 algorithm to encrypt files on compromised computers, rendering them unusable. Presence of files with a .vicrypt extension is a sure-fire sign of infection.
Trojan.Ramvicrype is a little different from most other Ransomware programs we’ve seen in the past. Typically these kinds of threats display a message prompting users to visit a certain Web page or email a specific address. Users will end up paying the online criminals in exchange for keys that can be used to unlock the computer or decrypt the encrypted files.
Previously posted blogs on the subject of Ransomware can be found at:
* The Key(generator) to the SMS Ransomware Threat
* SMS Ransomware Threat
In contrast to the above threats, Trojan.Ramvicrype does not make a direct demand for cash in return for keys. How are they making their money here? It turns out that entering the term ‘vicrypt’ into a search engine leads us to a company offering a fix, which of course is a charged service. So, there was a reason for that file extension after all.
Unfortunately, performing a search for ‘vicrypt help’ or similar may not be an option for those whose machines have been compromised. Consider the %UserProfile%\Recent folder, which is used by Windows to maintain links to recently opened files. For example, if you open a text file called sales-report.txt on your desktop, a .lnk file is created that points to the file itself, %UserProfile%\Desktop\sales-report.txt. Since Trojan.Ramvicrype encrypts files in all folders pointed to by the links to recently opened files, one of the worst case scenarios occurs when a file in the Windows system folder has recently been opened. This leads to a situation in which the threat encrypts all files in the Windows system folder, the computer is critically damaged and the user is unlikely to be able to access the Internet to search for the fix.
Continues at Symantec Security Blog