In the last three years, ransomware has become a leading cyber threat all across the globe. No user in any part of the world is safe from the mischief of cryptovirological operators. It’s been one month into 2019 and the current cyber landscape suggests that ransomware operators are not willing to cut down the development of new cryptovirological scripts.
This trend suggests that ransomware removal experts will continue to hone their expertise in order to get rid of ever-increasing cryptovirological threats. A team of malware hunters has recently discovered yet another cryptovirological strain lingering in the cyberspace for the last couple of days.
This ransomware script goes with the name Vaca. According to the preliminary inspection, experts have found out that Vaca ransomware is not an entirely new ransomware strain. In fact, it is a variant of Xorist ransomware that was first surfaced three years ago. The operators of Xorist have developed more than 15 different variants including Vaca so far.
Xorist Ransomware: A Ransomware With Unique Encryption Action
In this section, we have discussed a lot of ransomware strains. The majority of them use either AES or RSA encryption modules. Some of them also use the combination of both. However, Xorist and its variants are quite different in this regard. Xorist developers use XOR ciphers and Tiny Encryption Algorithm (TEA) module to lock down files on the affected devices. By using unique encryption modules, Xorist developers have made it difficult for ransomware removal experts to come up with decrypters for the affected devices.
Vaca Ransomware Operators Ask Victims to SMS Their ID
It has been found out that the latest Xorist ransomware variant uses phishing emails to distribute the infected payload on devices. Once the encryption of the stored files finishes, a text file with a ransom note appears on the screen.
Instead of directly quoting the extortion amount for providing ransomware removal solution, Vaca ransomware operators ask the victims to send them their ID via SMS to a VoIP number. We strongly advise users against contacting the attackers for the decrypter. There is no guarantee that the attackers will provide the solution. Moreover, you can’t rule out the fact that mischievous cybercriminals can extend their malicious activity via further correspondence.
It’s not clear whether Vaca ransomware operators are using the same XOR/ TEA encryption methods or have shifted to RSA and AES modules. Whichever encryption has been used in VACA script, we would recommend you to get in touch with any seasoned ransomware removal expert for a professional solution.
In the previous Xorist ransomware attacks, the operators would usually ask somewhere between 0.3 and 2 Bitcoins to provide the decrypter. So, there are strong chances that the VACA ransom demand will also be in the same range.