Bitcoin Ransomware Education – Kriptovor

Whenever a Bitcoin ransomware combined with an information stealer pops up on the radar of security experts, things are becoming ugly pretty fast. Kriptovor definitely belongs in this category, as this type of malware is looking to collect a lot of financial information Russian businesses. But they are not the only victims, as any company dealing with Russian clients is on the hit list as well.

Kriptovor Is A Modular Form of Bitcoin Ransomware

TheMerkle_Kriptovor Bitcoin Ransomware

Bitcoin ransomware on its own is scary enough, but when the developer has the option to add more functionality and versatility over time, things are looking very dire for whoever is infected with Kriptovor. This modular approach had never been tested before, and this ransomware has gone through several iterations throughout the months it has been active.

Kriptovor originally started out as a malware intended to steal digital currency wallets. For example, Bitcoin users who store their coins on a computer have a “wallet”, which is saved in the form of a file in the computer system. What Kriptovor does is look for this file and its extension specifically, allowing hackers to steal bitcoins and other forms of digital currency without the user even noticing the theft.

As is the case with most forms of ransomware and malware, they are rather difficult to detect for antivirus solutions. Kriptovor is no exception in this regard, as it used evasive techniques and even cleaned up after itself when the damage had been inflicted on the computer.Moreover, this malware would try and determine the location of the user, indicating this infection was intended to affect specific regions, namely Russia.

Similar to just about every other Bitcoin ransomware to ever be created, Kriptovor spreads through infected email attachments This Word or PDF document contains a binary file, which gives the attached malware the green light to start performing its malicious tasks. Information is being logged and stolen, and files are encrypted shortly after.

What makes this particular malware so intriguing is how it immediately detects whether or not the computer is connected to the Internet. If this is not the case, Kriptovor will automatically uninstall itself from the host device and erase any traces. Moreover, the infected email attachment will be removed from the computer as well.

Once the encryption process of Kriptovor has taken place, the Bitcoin ransomware will also prevent the computer from going into standby mode. All shadow copies present on the computer is removed as well, preventing users from restoring file access with a backup. Last but not least, a ransom note is generated with instructions on how to proceed with the payment. Every infection was subject to a specific deadline to get in touch with the Kriptovor creator, as requests after that hard deadline date would be ignored.

Source: FireaEye

Images credit 1.2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news