Home Malware Programs Ransomware Vally Ransomware

Vally Ransomware

Posted: April 24, 2019

The Vally Ransomware is a file-locking Trojan that belongs to Scarab Ransomware's family. Weak server security is one of the most likely means of opening yourself up to an attack by threat actors using a variant of this family, and lacking a backup can make recovering your documents and other work impossible. Besides protecting themselves beforehand, users can quarantine or delete the Vally Ransomware through appropriate anti-malware software that will stop any additional data-locking attacks.

Language Questions on Trojan Campaigns

A file-locking Trojan that's using the same ransoming message as the Remove Croc Ransomware and is, almost certainly, another version of the Scarab Ransomware, is attacking users in unknown regions of the world. The Vally Ransomware's changes are, from a victim's point of view, almost strictly superficial, and include different addresses and extensions on the files that it's locking. Otherwise, like all versions of Scarab Ransomware family, its most important feature is the data encryption that it performs without the victim's permission.

The Vally Ransomware uses the same AES-and-RSA algorithms for locking data as other members of this Ransomware-as-a-Service family, such as the Scarab-Gefest Ransomware, the Scarab-Tokog Ransomware or the Scarab-Horsia Ransomware variants like the Burn Ransomware. Text documents, Excel spreadsheets, archives like RAR and ZIP, and pictures are some of the formats that the Trojan blocks. At least one AV vendor provides, but doesn't guarantee, a decryption service for recovering your files – but not for free.

The Vally Ransomware's adding 'vally' extensions to each filename is one of its few changes, in comparison to its ancestral Trojans. Readers with any language interests may note that this string may be a Russian conversion of the 'Wall-E' movie's title (since Russian lacks a 'W' in the alphabet), although it could, just as easily, be a misspelling of the word 'valley.' Malware experts cast little importance on this change, other than the possible clue to what countries it's targeting; the presence or lack of an extension doesn't help with decrypting and unlocking the file.

Driving Crocodiles Out of the Valley

The Vally Ransomware uses an identical Notepad ransom note to the Croc Ransomware, including no corrections to the preexisting grammar problems of its text. While these issues imply a non-native English speaker as the threat actor, the Vally Ransomware may block the files of most Window PCs equally effectively. Users should back their work up to other devices for security purposes and remain aware of potential attacks occurring across non-secured network connections.

Network and server administrators should be careful about exposing ports, using RDP features, or sharing passwords. These are possible – and likely – vulnerabilities that threat actors can use for introducing file-locking Trojans. The Scarab Ransomware family has a notable acquaintance with brute-force attacks that crack logins without suitable passwords. Anti-malware tools may stop Trojan installers or remove the Vally Ransomware, but decrypting media isn't within the purview of a traditional PC security product.

The Vally Ransomware may resemble a copy-and-paste job, but the Ransomware-as-a-Service industry's activities always are worth tracking. If nothing else, they provide information on how threat actors are installing their Trojans, along with, unfortunately, how many people aren't backing their files up securely.

Loading...