Our friend Larry Abrams at Bleepingcomputer alerted the world about a new strain of ransomware called DynA-Crypt that was put together using a malware creation kit by people that are not very experienced, but have a lot of destruction in mind.
Larry said: “DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim’s computer.
“Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of NASTY that just makes a mess of a victim’s programs and data.
“The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.”
A DynA-Crypt Infection Means A Full-blown Data Breach
While running, DynA-Crypt will take screenshots of your active desktop, record system sounds from your computer, log commands you type on the keyboard, and steal data from numerous installed programs like Skype, Chrome, Minecraft and many others. When stealing this data, it will copy it into a folder called %LocalAppData%\dyna\loot\, When it is ready to send to send to the developer, it will zip it all up into a file called %LocalAppData%\loot.zip, and email it to the developer.
The Ransomware Portion of DynA-Crypt can be Decrypted
The ransomware portion of DynA-Crypt is powered by a PowerShell script that uses a standalone program called AES to encrypt a victim’s data. This script will scan a computer for files that match the following extensions and encrypt them.
When it encrypts a file it will append the .crypt extension to the encrypted file’s name. That means a file named test.jpg would be encrypted and renamed as test.jpg.crypt. The ransomware will also delete the computer’s Shadow Volume Copies so that you are unable to use it to recover files.
When done encrypting a computer, DynA-Crypt will display a lock screen asking you to pay $50 USD in bitcoins to an enclosed bitcoin address. Thankfully, at this time nobody has paid a ransom.
[contentblock id=75 img=gcb.png]