back to article She will lock you out, livin' la Vidar loca: Enterprising crims breed ransomware, file thief into hybrid nasty

A newly spotted piece of hybrid malware steals copies of victims' files and then encrypts said data, demanding a ransom to unscramble it. The software nasty, bestowed the moniker Vidar earlier this month, combines the GandCrab ransomware with parts of the Arkei data-harvesting trojan to create a two-pronged attack that, on …

  1. Duncan Macdonald Silver badge

    Yet another reason to block ads

    NoScript and AdBlockPlus (or equivalents) are required for sane use of the internet.

    (BTW does the Register check all its ads to ensure that no nasties can creep in ?)

    1. Anonymous Coward
      Anonymous Coward

      Re: Yet another reason to block ads


      A family members PC was infected with a fileless rootkit last year that was served up by a malicious ad from a well known social media company that started off with a .js file extension.

  2. doublelayer Silver badge


    "The idea is that the victim will be so concerned with cleaning up the Gandcrab malware infection that they won't notice the malware was also lifting their passwords, payment card numbers, and unique system configuration information."

    Passwords and card numbers I get. I can also see taking a bunch of user files in the hope that some of them will prove lucrative to you. But what kind of system config information do they take, and why? It can't be to break in, because they already got access. It couldn't be to break in again, because if the user properly cleans up from the infection, most config information will be changed by the full wipe and reinstall. If they don't properly recover, the infection will remain. However, I don't know what intrinsic benefit might exist in configuration data that would make that worth stealing.

    1. Duncan Macdonald Silver badge

      Re: Information

      Knowing the motherboard and BIOS version and Ethernet MAC address may give them the information needed for an future attack (some motherboard BIOS versions are vulnerable to crafted Ethernet packets - if the system has Intel "Trusted Computing" - aka NSA backdoor - with default password then you can own the system). Knowing how up to date the PC is with regards to patches gives an indication of how long a new zero-day exploit is likely to be of use against the system. Knowing which type of antivirus package is used makes it easier to design a new attack to slip by the package. The Office version helps in designing attack packages. Etc etc.

  3. DropBear Silver badge


    I'm sorry, what? Not knowing what exactly they copy off the machine I might just believe they get it done in one minute - but do they truly finish _encrypting_ everything as well during that time? What is that supposed to mean, the contents of the "My Documents" folder...? Because you're NOT going to encrypt a Terabyte's worth of hard disk data in one minute. Incidentally, as a DOS-era throwback when there was no such concept as "My Documents", basically all my documents live somewhere else on my HDD (no, none of my music and videos are in "My Music" or "My Videos" either). Never expected that to make this kind of difference...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019