Remove VaultCrypt from Your Computer - How to, Technology and PC Security Forum |

Remove VaultCrypt from Your Computer

data-encryptionVaultCrypt is a new ransomware infection that has been active mainly in Russia for the past month but is now spreading to English speaking countries. What makes VaultCrypt different than other infamous ransomware like CryptoWall 3.0 and CTB-Locker, is its effective file encryption technique based on the use of Windows batch files and GnuPG privacy software. Experts report that the English version of the ransomware is not quite finished yet, but English instructions can already be seen on the payment website.

Download a System Scanner, to See If Your System Has Been Affected By VaultCrypt.

What Makes VaultCrypt Different Than Other Ransomware?

Unlike other ransomware infections, VaultCrypt does not display the typical ransom message containing the payment details once it is installed. Instead, the threat scans the affected machine for ms office files, database files, pictures and zips archives and adds a .vault extension to encrypt them. As the user double-clicks an encrypted file, a pop-up message appears, stating that the file has been “Stored in Vault”. The victim needs to visit a certain website (restoredz4xpmuqr.onion) to get the decryption key.

The decryption website contains payment details and decryption instructions. The fee accounts to 1 Bitcoin ($270) and has to be paid in a seven-day period. If the required sum is not paid in a week, the cyber crooks increase the amount.

The File-Encryption Process

Experts have determined that the VaultCrypt is basically a large Windows batch file that utilizes VBS scripts and GnuPG privacy software to encrypt the files on the compromised PC. As the batch file gets infected, it would generate an RSA 1024 public and private key.

VaultCrypt targets files with the following extensions:

→*.xls,*.doc,*.pdf, *.rtf,*.psd, *.dwg, *.cdr,*.cd, *.mdb, *.1cd, *.dbf, *.sqlite,*.jpg,*.zip

Files that are not in certain folders will not be encrypted by the ransomware. Such are msoffice, Intel, Windows, and framework64.

During the file-encryption process, a batch file is also created. Its purpose is to execute a command to erase all Shadow Volume Copies on the infected PC and make it impossible for the victim to restore the unencrypted files.

The Public and the Private Key

The private key needed for the decryption of the victim’s files is stored in a vaultkey.vlt file. This file also contains configuration information, umber of encrypted files, and computer names. The collected data is used to present the PC user with a personalized page on the payment website.

The public encryption key, which is the same for all infected machines, is used to encrypt each victim’s private key so it would be impossible for the user to retrieve it without paying the ransom. The same master key is used to encrypt the CONFIRMATION.KEY file that contains a list of all the encrypted files.

Another offensive move skillfully planned by the creators of VaultCrypt is downloading a file from and saving it on the infected computer with the sole purpose to steal login information for the web pages visited by the user.

The Final Touch

VaultCrypt uses sDelete program by Microsoft to erase all possible files used in the encryption process. For this final step, the ransomware applies sixteen overwrites, which makes restoring the created key files through recovery tools almost impossible.

VaultCrypt’s C&C Server

Experts estimate the C&C server as quite sophisticated. It is currently located at http://restoredz4xpmuqr.onion. The user needs to register first, by uploading the VAULT.KEY file. The authorization follows automatically, generating a login ID and password. Both can be used in the future.

As the victims log in, they will be presented with information about the encrypted files, payment method and live chat support in case any questions arise.

VaultCrypt offers the victim to restore four files for free as a guarantee that the encrypted files will be restored following payment.

Most of the information on the website is in Russian, but there are also instructions in English.

How Does VaultCrypt Infiltrate Your System?

Like many other threats, VaultCrypt can enter the targeted system:

  • Bundled with free of charge software available for download online
  • As a link or attachment to a spam email message
  • Through corrupted websites
  • Through exploit kits hosted by malicious advertisements, other malware or compromised web pages

Is It Possible to Remove VaultCrypt from Your Computer?

The VaultCrypt infection can be eliminated with a competent anti-malware tool, but experts warn that restoring the encrypted files without paying the ransom is almost impossible. The only chance to restore the encrypted data is through backup. The specialists add that there is a small chance to restore some of the files deleted by the ransomware from the Shadow Volumes using a file recovery tool because VaultCrypt does not delete files securely.

Spy Hunter system scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the malware tool. Find Out More About SpyHunter Anti-Malware Tool

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share