What threat does the CrypVault ransomware attack pose?

A new variant of ransomware is using the .vault extension to give the appearance that it's already been quarantined by an antimalware program. While worrisome, I've heard it isn't advanced. How does this malware work, and what threat does it pose?

While the new CrypVault malware is not overly sophisticated, it demonstrates how an attacker with modest resources can create an effective ransomware attack. It uses scripts and command-line utilities to assemble the entire attack. It also uses batch scripts to edit the registry and pull all the steps together: GNUGpg for the file encryption and Sdelete to securely delete the config files. The files encrypted with GNUGpg are saved with a .vault extension to further hide the files.

Renaming a file extension helps a ransomware attack bypass simple blacklists and makes it more difficult for users to understand what happened to the files, but is not a sufficient tactic to use to bypass current antimalware tools. If a security tool your enterprise relies on misses an infection because the malware file names do not match, you should quickly find a better tool to use.

The threat CrypVault poses to enterprises is the same as any other malware; it can execute on an endpoint and destroy files or cause other havoc. It also specifically seems to target Russian users, which limits the population the ransomware can successfully extort.

Enterprises should have standard antimalware security controls in place to prevent and defend against malware like CrypVault, and should also ensure steps are taken to protect from other ransomware attacks, such as keeping good backups at all times.

Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)