Ransomware Steals and Deletes your Data

March 31, 2017

For the past few years, our team and IT teams everywhere have learned to deal with ransomware epidemic. Prevention was always preferred, but when the disaster strikes, rock-solid backups made the entire event something that can be dealt with.

One of the new strains of ransomware on the market is a nightmare for organizations and their data. DynA-Crypt is one of the first major ransomware strains confirmed to ex-filtrate (steal) data. It has most of the typical ransomware damages, but increases the impact dramatically, by stealing data first and then deleting and encrypting data on its way out.

Once DynA-Crypt successfully infected a computer, it goes to work hunting down files with specific extensions and encrypting them where they sit, using strong AES encryption.  It appends the .crypt extension to the affected filename, and then deletes the Shadow Volume Copies so that you cannot recover them.  The extensions it looks for are:

.jpg | .doc | .docx | .xls | .xlsx | .ppt | .pptx | .pdf | .mp4 | .mp3 | .mov | .mkv | .png | .pst | .odt | .avi | .msg | .rar | .mdb | .zip | .m4a | .csv | .001

A DynA-Crypt Infection Means a Full-Blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.

It takes all the data it can find, puts it in a folder called %LocalAppData%\dyna\loot\, zips it, and emails it to the attacker.  Then, perhaps worst of all, it deletes most of the folders it stole data from (but not all of them).  There’s no benefit to the attacker whatsoever, it’s simply malicious.

The Small Silver Lining

The good news is DynA-Crypt relatively unsophisticated malware. It’s poorly written, nonsensical in its execution, unnecessarily cruel, and thankfully…easy to decrypt.  Security researchers have already broken this down and have provided the ability to decrypt your data. So, you shouldn’t pay the ransom demanded.

The Serious Take Away

This signals a shift in the nature of ransomware. In the past, bad actors were content to simply lock up your data and demand that you pay them to decrypt it. But this elevates the impact significantly. Data breaches may require customer and vendor notifications, and even legal ramifications. Let this stand as a sober reminder of the importance of effective detection and prevention systems. You must thwart these assaults before the breach occurs, because once it has, it’s already too late.

What you can do

To make sure you don’t fall victim to this new type of ransomware, or any other types which have been increasing in frequency, we have a few basic suggestions. Be sure to confirm any large requests sent to you via email over the phone with the party whom it was requested from. Many times, an email address will be off by one letter and can easily be mistaken for your COO’s email. These requests could be for accounting transfers or numbers, employee personal information, or sensitive company information. Don’t click on any links or open any attachments you are not confident about, especially is sent from someone you have not been in contact with before.