The CrypVault ransomware (LovxCrypt variant) has made a big comeback in the past few weeks. The CrypVault ransomware is an older ransomware that uses GnuPG, an Open Source PGP Encryption tool, to encrypt files. Unlike most ransomware, it is simply written using a combination of scripting languages such as the Windows Batch file, JavaScript and VBScript. This week’s Threat Spotlight blog discusses the new variant LovxCrypt we discovered being spammed via email with a fake “Resume” theme.
Watch our video to see how quickly this ransomware infects a machine, and how Cylance stops it cold:
VIDEO: CylancePROTECT vs. LovxCrypt Ransomware
Background and Timeline
While it was first seen in April 2015 using the GnuPG open-source encryption, the new variant is known by the extension it places on encrypted files – ‘.lovx’. It is sent as a fake resume, similar to GoldenEye and other ransomware seen over the past year. Once the file is double clicked, the command and Control (C2) server infects endpoints – even those with antivirus (AV) protections in place.
How is it Delivered? What Does it Do?
The LovxCrypt malware is delivered through email phishing, and typically slides through security undetected since the attachment masquerades as a Microsoft Compiled HTML Help (CHM). This format can consist of multiple HTML files combined and then deployed in a binary format.
Since the CHM file is basically HTML, it can run JavaScript, VBScript and PowerShell.
And since it runs outside of the browser, important security settings and restrictions normally applied to those scripts will be absent – along with the browser protection touted by many security vendors.
LovxCrypt Variant in Action
This is a net-new iteration which cannot be found by MD5 hash (of the CHM file). The user won’t see the payload downloaded – in this case from a server in Romania – so looking up a hash doesn’t help.
Since it launches a confusing Word document to cover up what it’s doing in the background, users may not notice that the malware is encrypting their files until it is too late. Strong encryption means that even professional remediation tools will not be able to undo this action.
Does Cylance Block it?
LovxCrypt ransomware is a new take on an ongoing trend. Signature-based AV products only have knowledge of the infection after the fact. In this case, threat intelligence lookups have also come up empty. This means that AV and endpoint detect and response (EDR) tools are blind to this nasty piece of ransomware.
However, Cylance wields the power of artificial intelligence-based, predictive prevention – our endpoint protection product CylancePROTECT® will detect and instantly block the malicious files pre-execution, before the .exe file has a chance to run.