Remove CrypVault Ransomware from Your System - How to, Technology and PC Security Forum |

Remove CrypVault Ransomware from Your System

A new ransomware has been discovered by security experts. The ransomware is dubbed CrypVault and there are some differences in the way it functions compared to other ransomware. The threat also goes by the name BAT_CRYPVAULT.A. Users should not be tricked into paying the ransom. There is no assurance their files will be saved.

CryptVault Distribution Technique

The malware is spread via corrupted email attachments containing a JavaScript file. Once the attachment is executed, four files are being downloaded from CrypVault’s Command & Control server.
After the four files are downloaded, they will be stored in the %User Temp% folder. The ransomware creators may also have added strings typical for malware scanner logs so that CrypVault is hardly detected.

CryptVault Encryption Method

After it is executed, a GNU Private Guard (GnuPG) will be installed. GnuPG is an open source encryption mechanism that initiates the file encryption. That is when the private and public keys are generated. As for the private key – it is most likely stored in a vaultkey.vlt file. Vaultkey.vlt consists of configuration information, the amount of encrypted files, and the PC names.

Here is a list of the targeted files:

  • *.xls, *.doc, *.pdf, *.rtf, *.psd, *.dwg, *.cdr, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip


CrypVault also drops a .txt file and generates a message on the victim’s desktop. The message contains instructions on how to proceed to pay the fee and decipher the files. The attack is also suspected to target Russian-speaking countries because the ransomware’s components are written in Russian. That includes the name of the attachment, the ransom note, and the support portal.

CrypVault also employs the SDelete Microsoft tool in order to remove crucial files and to stop the victim from decrypting their files without paying the ransom. SDelete is frequently used by cyber criminals in crypto-ransomware invasions. However, the present case is probably the first one to employ 16 overwrite passes to reassure that no recovery tool may succeed in reestablishing the deleted data.

The malicious threat is then designed to download and execute a hacking tool dubbed Browser Password Dump suitable for Chrome, Firefox, Explorer, and Safari. The tool harvests browser credentials.

Users are advised not to pay the ransom because there is no guarantee their files will be decrypted. What victims may try doing is using their last backup in order to decipher their data.

The best measure against ransom malware is having important files stored on an external device or in a cloud.

Download a System Scanner, to See If Your System Has Been Affected By CrypVault.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share