A ransomware called VaultCrypt has been circulating in Russia since the end of February, but it’s starting to make its way to English-speaking regions. Its use of a sophisticated payment site and unusual ransom method sets the bug apart.
According to cyber-research blog Bleeping Computer, when a victim’s files are encrypted, .vault is appended to each encrypted file's name, thus giving the bug its moniker. But in a marked departure from other crypto-ransomwares like CryptoLocker and its variants, VaultCrypt has no obvious ransom note explaining to victims what had happened to their files and how to get them back.
Instead, unlucky users targeted by the malware need to click around to get their answers.
“After being given access to the infected machine, we were able to see that instead of using ransom notes, this ransomware would modify the registry to include a new .vault extension and that changes an encrypted files icon to a lock,” Bleeping Computer noted. “When you double-clicked on a Vault file, instead of the file opening, an alert would be shown stating that the file was ‘Stored in Vault’ and that you needed to go to [a specific Tor address] to get the key.”
This alert is displayed by creating a new .vault extension in the Windows Registry that executes the code whenever a .vault file was double-clicked.
Victims can then “register” their infection with the command & control server at the Tor address, where they are greeted with a login and registration prompt.
“To register, you simply need to upload the VAULT.KEY file from an infected computer and it will automatically authorize you and generate a login ID and password that you can use in the future,” the researchers said.
Once logged in, the interface is very much oriented towards customer service. Victims are presented with a news ticker, a variety of information about their encrypted files, how much they need to pay to get their files back, and the ability to chat with the malware developers if they need help. Finally, like most other current ransomware infection, VaultCrypt provides the ability to restore four files for free as proof that it is able to do so.
“At this point the ransomware is not 100% ready for English-speaking countries due to the large amount of Russian utilized in the ransom notes, and the command & control server,” the blog authors said. “At the same time, there are English instructions spread throughout the payment site, so we can expect more English-speaking targeting to occur in the near future.”
The ransomware is also unusual because it uses Windows batch files and the open source GnuPG privacy software to power its file encryption technique.
After analyzing the script, the researchers quickly realized that VaultCrypt was essentially one large Windows batch file utilizing VBS scripts and free software such as GnuPG and sDelete to encrypt data files and hold them hostage. Targeted file types include Office files, ZIP files, photos, PDFs and others.
“When first infected, the batch file would run and generate a unique RSA 1024 public and private key pair labeled Cellar using GnuPG,” Bleeping Computer explained. “VaultCrypt would then use GnuPG and the Cellar public encryption key to encrypt any files that matched the [targeted] file extensions.”