New Ransomware Steals And Deletes Your Data

March 3, 2017

For the past few years, our team and IT teams everywhere have learned to deal with ransomware epidemic. Prevention was always preferred, but when the disaster strikes, rock-solid backups made the entire event something that can be dealt with.

One of the new strains of ransomware on the market is a nightmare for organizations and their data. DynA-Crypt is one of the first major ransomware strains confirmed to ex-filtrate (steal) data. It has most of the typical ransomware damages, but increases the impact dramatically, by stealing data first and then deleting and encrypting data on its way out.

Once DynA-Crypt successfully infected a computer, it goes to work hunting down files with specific extensions and encrypting them where they sit, using strong AES encryption.  It appends the .crypt extension to the affected filename, and then deletes the Shadow Volume Copies so that you cannot recover them.  The extensions it looks for are:

.jpg | .doc | .docx | .xls | .xlsx | .ppt | .pptx | .pdf | .mp4 | .mp3 | .mov | .mkv | .png | .pst | .odt | .avi | .msg | .rar | .mdb | .zip | .m4a | .csv | .001

A DynA-Crypt Infection Means a Full-Blown Data Breach

While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others.

It takes all the data it can find, puts it in a folder called %LocalAppData%\dyna\loot\, zips it, and emails it to the attacker.  Then, perhaps worst of all, it deletes most of the folders it stole data from (but not all of them).  There’s no benefit to the attacker whatsoever, it’s simply malicious.

The Small Silver Lining

The good news is DynA-Crypt relatively unsophisticated malware. It’s poorly written, nonsensical in its execution, unnecessarily cruel, and thankfully…easy to decrypt.  Security researchers have already broken this down and have provided the ability to decrypt your data. So, you shouldn’t pay the ransom demanded.

The Serious Take Away

This signals a shift in the nature of ransomware. In the past, bad actors were content to simply lock up your data and demand that you pay them to decrypt it. But this elevates the impact significantly. Data breaches may require customer and vendor notifications, and even legal ramifications. Let this stand as a sober reminder of the importance of effective detection and prevention systems. You must thwart these assaults before the breach occurs, because once it has, it’s already too late.