VIVELAG Ransomware
The VIVELAG Ransomware is a file-locking Trojan that's a variant of a previous one, the Sapphire Ransomware. Its campaign is targeting gamers by imitating an update for an online gaming application before delivering its file-blocking encryption attack and a gaming-themed ransom note. Users should protect their digital media with properly-secured backups, use the free decryption key as necessary, and let their anti-malware products determine the safest means of uninstalling the VIVELAG Ransomware.
A Gaming Update from Game Haters
An unknown threat actor is leveraging very-standard encryption attacks against a less-than-typical subsection of the Web populace: gamers. Although the criminal's ransoming message asserts the identity of Sir Dystic, a notorious hacker notable for acts such as exposing vulnerabilities in Windows 98 through RATs, the Trojan centerpiece of this campaign, the VIVELAG Ransomware, is surprisingly unsophisticated. Consequently, malware experts presume it's a case of deliberate falsified identity for intimidating the victims and gaining more ransoms.
The VIVELAG Ransomware is a Windows .NET Framework executable and a slight edit of another Trojan, the Sapphire Ransomware. Its filename claims that it's an update for the Gacha Life – an Android and Windows game with casual 'anime dress-up' gameplay. There isn't an actual update bundling with the Trojan, but running it provokes an attack that blocks most digital media files (JPG or BMP pictures, documents, music, etc.) with a non-secure encryption routine.
The VIVELAG Ransomware appends a custom extension, like most Trojans of this type. However, its anti-Gacha Life-themed HTA pop-up is its most intriguing feature. This French message attributes the attack to Sir Dystic and an 'anti-gacha league,' and asks for a modest Bitcoin ransom. The wallet's history indicates no payments, which is likely thanks to the available decryption (see the second half of this article) of the threat's encryption routine.
Long Live a Ransom-Free Gaming Life
Secure backups are the universal solution to file-locking Trojans, but some have more-open decryption opportunities than their kin. For the VIVELAG Ransomware, whose name in context could translate roughly to 'Long Life the Anti-Gacha League,' decrypting and restoring files is possible by entering a static key into its HTA pop-up window. Samples use the key '052250058205075025075207820' to recover currently. This oversight is an enormous and easily-correctible one that makes the purported attribution to the seasoned hacker Dystic an almost sure falsehood.
Users also should curate their downloads in general for potential risks to their safety. Downloading gaming updates from non-official sources like a pop-up advertisement leaves the system in danger of countless drive-by-download attacks. Scanning one's downloads before opening them, checking file data and names for suspicious information, and terminating links from non-official domains are all useful.
Professional anti-malware programs should identify and remove the VIVELAG Ransomware, like the previous Sapphire Ransomware. The Trojan has no overt defenses, such as memory process termination or anti-sandbox techniques, unlike the more evolved Ransomware-as-a-Service families.
The VIVELAG Ransomware is a slightly snarky example of a Trojan of its kind, with a casual attitude towards its all-too-serious attacks. Its lackadaisical payload is more resolvable than most encryption-based infections are. Thus, any Gacha Life fan who falls for its scheme should be grateful they didn't encounter an even worse threat.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.