When successfully executed, a ransomware attack encrypts a victim’s files and then leaves it up to the victim to determine whether to trust the attackers enough to pay their demanded fees.
Now, however, a newly identified ransomware, ‘CoinVault,’ is changing up these tactics by offering victims a “free decrypt,” possibly to show good faith on the attackers’ side, according to a SecureList blog post. Santiago Pontiroli, security researcher, Global Research and Analysis Team, Kaspersky Lab, said in an interview with SCMagazine.com that this free file doesn’t prove much.
“It’s still sending private information from you to the cyber criminals,” Pontiroli said. “Even if it works, nothing guarantees that they (the attackers) will keep their word.”
Even more interesting than CoinVault’s free decrypt is the malware’s intense measures to keep itself hidden, particularly from researchers.
As compared to CryptoLocker, for example, getting a sample of CoinVault requires passing through multiple security layers and dealing with string keys and byte arrays to eventually get to the malicious payload. Ultimately, Pontiroli explained, researchers can get to the sample, but it takes time.
“They make that effort (to delay analysis) because it’s more money for them,” he said. Pontiroli also believes the attackers could have been analysts because the ransomware specifically checks for tools analysts use, including Sandboxie and Wireshark.
The extra time bought from instilling these security layers allows attackers to test their malicious code, alter it and begin cashing in, all before researchers’ blog posts are released.
CoinVault doesn’t vary much from traditional attacks in that it requests victims use bitcoins to recover their files, and if no payment is received within 24 hours, the ransom increases.
Pontiroli recommends that all IT security professionals maintain a backup policy to ensure files can be recovered in the event of infection.
“If you have a backup policy in place, then don’t pay,” he said. “If you keep paying then this business will go on forever.”
People around the world have complained of CoinVault infecting their computers and a large portion have been based in the U.S.