Cylance vs. LovxCrypt Ransomware

The CrypVault ransomware (LovxCrypt variant) has made a big comeback in the past few weeks. The CrypVault ransomware is an older ransomware that uses GnuPG, an Open Source PGP Encryption tool, to encrypt files. Unlike most ransomware, it is simply written using a combination of scripting languages such as the Windows Batch file, JavaScript and VBScript. This week’s Threat Spotlight blog discusses the new variant LovxCrypt we discovered being spammed via email with a fake “Resume” theme.

Watch our video to see how quickly this ransomware infects a machine, and how Cylance stops it cold:

VIDEO: CylancePROTECT vs. LovxCrypt Ransomware 

Background and Timeline

While it was first seen in April 2015 using the GnuPG open-source encryption, the new variant is known by the extension it places on encrypted files – ‘.lovx’. It is sent as a fake resume, similar to GoldenEye and other ransomware seen over the past year. Once the file is double clicked, the command and Control (C2) server infects endpoints – even those with antivirus (AV) protections in place.

How is it Delivered? What Does it Do?

The LovxCrypt malware is delivered through email phishing, and typically slides through security undetected since the attachment masquerades as a Microsoft Compiled HTML Help (CHM). This format can consist of multiple HTML files combined and then deployed in a binary format.

Since the CHM file is basically HTML, it can run JavaScript, VBScript and PowerShell.

And since it runs outside of the browser, important security settings and restrictions normally applied to those scripts will be absent – along with the browser protection touted by many security vendors.

LovxCrypt Variant in Action

This is a net-new iteration which cannot be found by MD5 hash (of the CHM file). The user won’t see the payload downloaded – in this (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Team. Read the original post at: