Another ransomware has been found that uses legitimate programs to do its dirty encryption. RarVault was first brought to our attention by Malware Response Team member B-boy/StyLe/ who was assisting a Russian-speaking victim.
This ransomware generates a random 127-character password (with both Latin and Cyrillic characters) that it then uses to encrypt all of a victim's data into one .rar file using a packaged executable of WinRar.
The malware creates a folder at C:\RarVault, where it stores a file called "Rar_Vault_User.txt", with information for the victim to contact the author.
http://RarVault.myfreesites.net/ RarVault@ruggedinbox.com [redacted]
The victim is also left with the ransom note "RarVault.htm", shown below.
Below is an image of the website the victim is lead to, translated to English by Google Translate.
Research on this ransomware is still on-going. If anyone has been hit by this ransomware, or knows a victim, please post here.