Types header

 

Name KRIPTOVOR
Type Crypto-Ransomware
Encryption Type open-source Delphi library called LockBox 3
Short Description Orgin: Russia, The name KRIPTOVOR is originated from Russian word, this named in Russian because the main target of this ransomware was focused only on the companies located in Russia and the international companies that do business in Russia
Symptoms  The ecnrypted files become inaccessible. The desktop background will be changed.
Distribution Method Spam mail
Image  KRIPTOVOR
More Details

The name KRIPTOVOR is originated from Russian word, this named in Russian because the main target of this ransomware was focused only on the companies located in Russia and the international companies that do business in Russia. The ransomware came into play in early 2014, at first this was just designed to steal crypto currency wallets from the victims later on it got evolved as a ransomware component. In 2014 many victims claimed to lose their valuable data because of this ransomware. The encrypted data’s file aer changed into .Just format, This malware also leaves the notes for the victims in which the mode of payment and other necessary information’s are given.

This ransomware had its very own unique techniques for evading which made the life of researchers very had. The main technique that this used was to terminate itself if the stealing or the encryption process is not successful.

How Infection is done?

Now we can see about the entire life cycle of the ransomware. First an email is sent to the victims with a word document attached to it, which is crafted to look like a PDF file. If the victim clicks on this file, the ransomware begins its routine in the background.

The sample of the word document is as given below

KRIPTOVOR1.1

The word document samples seen so far are also digitally signed with some untrusted certificate.

KRIPTOVOR1.2

Once the file is clicked on ,another process runs in the foreground which is named as KRIPTOVOR.Infostealer. This is a decoy document of the ransomware. This shows some resume in order to distract the victim. On the other hand the real process of the malware is processed without any difficulties.

The KRIPTOVOR ransomware goes through each and every files present on the victim’s computer, but this is only interested in files with the following extensions.

KRIPTOVOR1.3

KRIPTOVOR1.4

If any of these files are not found this reacts very brilliantly this contacts the remote server via HTTP post with the name of the victim.

This ransomware uses an open source known as Delphi library called as LockBox 3 for encryption process. This passes off key generation and file encryption to this lockbox 3 once the key is generated it sends the copy of private key to the hacker via email and keeps the public key to itself. Once these process are done successfully, the encryption process starts. Once the encryption is complete, the ransom note is displayed to the victim.

The ransom note is translated to English in this*