Recently, a new piece of ransomware “CRYPTED!” spread through pornographic websites was discovered.
The virus is disguised as a “seed file”, using the latest WinRAR remote code execution vulnerability CVE-2018-20250 to issue a ransomware attack, hiding on porn forum to lure users to download and unzip. According to statistics, hundreds of computers have been attacked in just two days. Luckily, leading security software has offered effective solution to detect and stop the ransomware.
Usually, the ransomware is embedded in link to popular porn video. According to the victims, they searched for a popular porn video on Google. After they clicked on one link of the search results, they were redirected to a YouTube page. They didn’t see the video directly. Instead, there was a video description, leading them to a google cloud disk to download the seed. They clicked on Download without a second thought and the ransomware came along. The cloud disk is a trap that hackers use to trick users into downloading ransomware.
Once you download the video file, you have no time to stop the ransomware. This kind of ransomware not only maliciously encrypts the small black computer files, but also demands 0.1 bitcoin ransom from victims. Victims got no access to the porn video, but got attacked by ransomware instead.
Teams of security companies monitor the attack and infection process. According to them, the archive file of the attack was named “vid-2019037.zip”. The zip file is encrypted with the password “sex888”. After decompression, it contains a zip file named “VID-2019037 Torrent.rar” and a ReadMe file. From the information revealed in the ReadMe file, the zip file stores the movie’s seed file and the preview file.
However, other teams have different idea. They point out that “VID-2019037 Torrent.rar” is actually a malicious compression package that exploits the WinRAR vulnerability CVE-2018-2050. This vulnerability can cause files to be written to any directory when extracting compressed packages. When the victim unpacks the “VID-2019037 Torrent.rar” file, a file called WindowsUpdate.exe will be released in the computer startup directory, which is the “CRYPTED!” ransomware.
In addition, the movie preview file “Preview_VID-2019037.scr” claimed in the ReadMe file is actually a “CRYPTED!” ransomware. The hacker induces the victim to run the ransomware in two different ways to ensure the success rate of the attack. In the choice of encrypted file types, hackers started with 57 file types including office documents and audio and video.
To prevent ransomware attack and avoid data & money loss, you should be cautious on unknown link and files. Actually, porn videos and websites are hackers’ favorite tools to spread ransomware. Don’t click on suspicious link or download unknown files. Besides, you can install advanced security software to protect your device and data, stopping ransomware before it can harm your system.
