BleepingComputer has published an article covering a new ransomware family called GetCrypt being distributed through malvertising campaigns. The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer.

Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host’s language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms.

A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication. BleepingComputer notes that a decryption tool has been released to assist in the recovery of files without ransom payment.

If you were infected with the GetCrypt Ransomware, it is possible to get your files back for free. All you need is a original unencrypted copy of a file that has been encrypted. Details on how to do this can be found here.

Indicators of Compromise

SHA256

• 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169