Some of the more modern types of Bitcoin ransomware pose a significant threat to computer users to this very day. Crypvault is in the top three on that list, as this kind of malware includes some new routines that make life even harder for infected users. In fact, this is the first type of ransomware to include an antivirus toolkit preventing users from accessing files.
Also read: How to stay anonymous when using Bitcoins
Crypvault Quarantines Computer Files After Encryption
Any type of Bitcoin ransomware is annoying enough to deal with because it encrypts necessary file extensions on the computer. Not only are these files inaccessible to the end user, but most types of malware will also prevent users to restore files from a backup, as they affect shadow volumes in the file system.
Crypvault is proving to be quite an annoying type of Bitcoin ransomware in that regard. This malware encrypts files by appending a “.VAULT” extension to the data, but it also includes an antivirus service that keeps these files quarantined for a period of time. Unlike traditional antivirus solutions, which ensure ransomware infections cannot occur in the first place, this version is making life even more difficult for the computer owner.
As soon as these files are downloaded on the computer, Crypvault will execute the ransomware and save the downloaded files in the %USER TEMP% folder on the computer. Most of the existing antivirus software solutions will not flag these downloaded items as malicious, although updated versions of AVG and other tools should be able to detect it.
Encrypting the files is just the first step along the way, as Crypvault will generate a ransom note once the file is opened. Similar to most other types of Bitcoin ransomware, Crypvault will redirect users to a Tor-hosted website where they can make the Bitcoin payment. Restoring files from a backup is made all but impossible thanks to sDelete, which is downloaded as part of the malware infection.
To make matters even worse, Crypvault is also capable of stealing usernames and passwords stored in the browser. This dump of passwords will be uploaded to the Crypvault C&C server. It remains unknown as to how these passwords are used in the future, although it is not hard to guess why assailants would be interesting in this information.