Posted by: Robert Westervelt
Ramvicrype Trojan, ransomeware
Trojan Horse doesn’t ask for money, but sends victims to software that can eliminate malware file extension, according to Symantec Security Response
Symantec has posted an interesting blog post about a new ransomware Trojan with a twist. Instead of asking for cash to unlock the files, the Ramvicrype Trojan encrypts files on victim computers and then sends victims seeking help via a search engine to a website where they can buy software that supposedly fixes the problem and decrypts the files. Older ransomware would push the the victim buy the keys outright.
Symantec virus researcher Shunichi Imano said in a blog entry that Ramvicrype victims will see some files on the computer with a vicrypt extension.
Entering the term ‘vicrypt’ into a search engine leads us to a company offering a fix, which of course is a charged service. So, there was a reason for that file extension after all.
The security vendor has developed a Symantec Ramvicrype removal tool for victims to decrypt the files.
Ransomware is not new. In fact, security expert Mike Chapple points out that it could be over a decade old. In an expert tip on what to do if you’re infected with ransomware, Chapple says you could reimage the drive and/or restore from backup. Check the Internet for the keys first. In many cases Chapple says others have been infected and security researchers likely have made the keys available.
Whether ransomware affects your organization directly or not, use the painful experiences of your peers to learn a lesson: install current antivirus software on all enterprise systems (especially the CEO’s laptop!). Make sure to also run regular backups and check firewall configurations.