VaultCrypt is a new ransomware infection that has been active mainly in Russia for the past month but is now spreading to English speaking countries. What makes VaultCrypt different than other infamous ransomware like CryptoWall 3.0 and CTB-Locker, is its effective file encryption technique based on the use of Windows batch files and GnuPG privacy software. Experts report that the English version of the ransomware is not quite finished yet, but English instructions can already be seen on the payment website.
What Makes VaultCrypt Different Than Other Ransomware?
Unlike other ransomware infections, VaultCrypt does not display the typical ransom message containing the payment details once it is installed. Instead, the threat scans the affected machine for ms office files, database files, pictures and zips archives and adds a .vault extension to encrypt them. As the user double-clicks an encrypted file, a pop-up message appears, stating that the file has been “Stored in Vault”. The victim needs to visit a certain website (restoredz4xpmuqr.onion) to get the decryption key.
The decryption website contains payment details and decryption instructions. The fee accounts to 1 Bitcoin ($270) and has to be paid in a seven-day period. If the required sum is not paid in a week, the cyber crooks increase the amount.
The File-Encryption Process
Experts have determined that the VaultCrypt is basically a large Windows batch file that utilizes VBS scripts and GnuPG privacy software to encrypt the files on the compromised PC. As the batch file gets infected, it would generate an RSA 1024 public and private key.
VaultCrypt targets files with the following extensions:
→*.xls,*.doc,*.pdf, *.rtf,*.psd, *.dwg, *.cdr,*.cd, *.mdb, *.1cd, *.dbf, *.sqlite,*.jpg,*.zip
Files that are not in certain folders will not be encrypted by the ransomware. Such are msoffice, Intel, Windows, and framework64.
During the file-encryption process, a batch file is also created. Its purpose is to execute a command to erase all Shadow Volume Copies on the infected PC and make it impossible for the victim to restore the unencrypted files.
The Public and the Private Key
The private key needed for the decryption of the victim’s files is stored in a vaultkey.vlt file. This file also contains configuration information, umber of encrypted files, and computer names. The collected data is used to present the PC user with a personalized page on the payment website.
The public encryption key, which is the same for all infected machines, is used to encrypt each victim’s private key so it would be impossible for the user to retrieve it without paying the ransom. The same master key is used to encrypt the CONFIRMATION.KEY file that contains a list of all the encrypted files.
Another offensive move skillfully planned by the creators of VaultCrypt is downloading a file from tj2es2lrxelpknfp.onion.city and saving it on the infected computer with the sole purpose to steal login information for the web pages visited by the user.
The Final Touch
VaultCrypt uses sDelete program by Microsoft to erase all possible files used in the encryption process. For this final step, the ransomware applies sixteen overwrites, which makes restoring the created key files through recovery tools almost impossible.
VaultCrypt’s C&C Server
Experts estimate the C&C server as quite sophisticated. It is currently located at http://restoredz4xpmuqr.onion. The user needs to register first, by uploading the VAULT.KEY file. The authorization follows automatically, generating a login ID and password. Both can be used in the future.
As the victims log in, they will be presented with information about the encrypted files, payment method and live chat support in case any questions arise.
VaultCrypt offers the victim to restore four files for free as a guarantee that the encrypted files will be restored following payment.
Most of the information on the website is in Russian, but there are also instructions in English.
How Does VaultCrypt Infiltrate Your System?
Like many other threats, VaultCrypt can enter the targeted system:
- Bundled with free of charge software available for download online
- As a link or attachment to a spam email message
- Through corrupted websites
- Through exploit kits hosted by malicious advertisements, other malware or compromised web pages
Is It Possible to Remove VaultCrypt from Your Computer?
The VaultCrypt infection can be eliminated with a competent anti-malware tool, but experts warn that restoring the encrypted files without paying the ransom is almost impossible. The only chance to restore the encrypted data is through backup. The specialists add that there is a small chance to restore some of the files deleted by the ransomware from the Shadow Volumes using a file recovery tool because VaultCrypt does not delete files securely.
Spy Hunter system scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool
