There's a whole new wave of ransomware being unleashed on the Internet, and this new breed of malicious software is being launched by individuals who don't necessarily even possess the knowledge themselves to develop such criminal software. We are now in the age of Malware as a Service, and malware creation kits are being supplied to anyone who can pay for them, and wants to use them for their own profit.
One of the newest examples of this type is called DynA-Crypt, and it appears to have been launched by someone who lacks both knowledge and scruples, locking victims' computers for ransom, and indiscriminately deleting critical files in the process, with no hope of recovery. This new ransomware was recently identified by malware analyst Karsten Hahn, who discovered that it steals information from a computer using PowerShell scripts and a whole arsenal of standalone executables. Ultimately, it encrypts critical data, steals passwords and contact information, and leaves a computer system in a shambles by deleting files.
How DynA-Crypt works
While running on a computer, DynA-Crypt steals data from many of the programs installed on a given machine, records keystroke commands and system sounds, and takes screenshots of the Desktop. Some of the programs from which this malware steals information include Chrome, Firefox, Skype, Steam, Thunderbird, and TeamSpeak, packaging up all this stolen information in a zip file and emailing it back to the originator.
Having stolen information from these program folders and many others, it then deletes some of those same folders, as well as Shadow Volume Copies, so that recovery becomes impossible. For good measure, it also deletes the entire Desktop, even though nothing is generally stolen from those Desktop folders. It then leaves a message for the user, which details the terms of the ransom, and what to do in order to have system information decrypted.
The DynA-Crypt ransomware core
The code which carries out the ransomware action in DynA-Crypt is centered around a PowerShell script, which uses the AES encryption algorithm to encrypt files on the hard drive. The program scans for these specific file extensions:
.jpg, .jpeg, .docx, .doc, .xlsx, .xls, .ppt, .pdf, .mp4, .mp3, .mov, .mkv, .png, .pst, .odt, .avi, .pptx, .msg, .rar, .mdb, .zip, .m4a, .csv, .001
It then appends a .crypt file extension to the filename so that it becomes unusable, after which it deletes all the original files, as well as backups. What this means is that even if you were to pay the ransom, you'd find your machine damaged and many of your important files completely removed and unrecoverable.
Fortunately, the ransomware part of the malware can be decrypted fairly easily, so no one should ever pay the ransom, especially in light of the fact that your machine will have been compromised anyway. For people whose machines become infected with this new malware program, there is a decryptor available from online sources, or from your own security consultant, which can at least relieve the encryption portion of damage done.
- There is NO excuse NOT to backup you files using cloud service or to a local backup.
- Don’t count on Anti-Virus and Firewalls to protect you – they won’