Blog

GetCrypt ransomware analysis – TEMASOFT Labs

Ransomware test subject – GetCrypt

GetCrypt is a recently released ransomware, distributed using malware campaigns, which redirect users to the RIG exploit kit, finally detonating the payload, the ransomware itself. It attacks vulnerable Windows PCs set to any language, except Russian, Ukrainian and a few others, probably pointing to its origins while doing so.

GetCrypt ransomware – test findings

The attack starts by tricking the user into clicking on links which point to the exploit kit. This is a software combo, which tries to find several vulnerabilities in the system. Once it finds some, it will try to exploit them, in order to gain different privileges on the system, like execution rights. If successful, it will download and execute a malicious payload, in this case, the ransomware.

The ransomware, once executed, it will first try to contact some IP addresses, then scan some machine particularities to build a machine-specific extension, which it will append to the encrypted files. It will also delete shadow volume copies of the files, which are backups done by the operating system if the feature is activated. It will not try to bypass the User Account Control, as you can see in the video as well.

Once encryption begins, it will encrypt any file, regardless of their extension. However, it will avoid some critical system folders, like the Windows folder.

Usually, ransomware will not limit encryption to local drives and will try to encrypt network shares as well.  Accessible network shares, that is. But GetCrypt goes a little further, it will also try to bruteforce these shares if the OS stored credentials prove to be insufficient. This method is rarely seen in the ransomware world, very few of them bundle lists of usernames and passwords to hack into other systems this way.

Once everything is encrypted, it will change the desktop wallpaper with a partial ransom note (still an image of course) and drop ransom notes in text files in a few attacked folders, like the Desktop. The ransom note instructs the victim how to recover the files… by paying.

As always, we will never recommend contacting these cybercriminals in any way.

GetCrypt ransomware vs Ranstop – test results

TEMASOFT Ranstop detects this version of GetCrypt ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is blocked and quarantined. The affected files are automatically recovered so that the user doesn’t lose any critical document.


Click here to watch TEMASOFT Ranstop blocking GetCrypt ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.


 
 

This post was last modified on August 21, 2023 7:26 am

FM Team

Share
Published by
FM Team

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023