VaultCrypt

VaultCrypt is a file encryptor Trojan that uses a combination of Visual Basic scripts, batch files and third-party freeware to encrypt your files, rendering them unusable until you pay a Bitcoin fee to its admins. While previously seen distributed towards Russian PC users, VaultCrypt now is beginning to make headway in Canada and other, English-speaking regions, although much of its well-developed infrastructure still is in a transitional state. Despite the inherent difficulties in recovering files from this threat, paying its ransom is not a course of action malware experts would recommend, particularly since a reliable file backup system can make its attacks irrelevant.

The Vault Where Your Files go to Die

VaultCrypt is a showcase of how an advanced file encryption Trojan is achievable without relying on obtuse tools. The majority of VaultCrypt's components consist of VBS scripting content implemented via batch files. VaultCrypt also uses some additional programs, such as sDelete (AKA Secure Delete, a file removal program) and GnuPG (a free data encryptor). Although the latter software is neither illicit nor threatening, they have few safeguards against being exploited in illegitimate ways, as VaultCrypt shows in campaigns throughout Russia and, now, other countries.

VaultCrypt targets files of appropriate types, using GnPG to encrypt them and make them unreadable. Simultaneously, these files have their names appended with the '.vault' suffix, which lets victims identify the affected files visually. VaultCrypt's current settings allow VaultCrypt to ignore files in any Windows-critical folders that could, when encrypted, harm your operating system. However, malware experts found files in other locations readily affected, with major types including:

• Archives, such as .ZIP.
• Microsoft Office files, such as .XLS and .DOC.
• Adobe .PDF files.
• VoIP files, such as .CDR.
• JPEGs and other images.

Although VaultCrypt doesn't generate a ransom note TXT file, VaultCrypt does issue an alternate ransom demand. PC users who click any of VaultCrypt's encrypted files see an automatic pop-up that recommends the use of VaultCrypt's website via the Tor Browser. This site holds the Bitcoin-based ransom process, a 'sample' decryption service that can restore up to four files and a working chat interface.

Burying a Threat to Your Files

VaultCrypt takes several steps to prevent its encryption process from being easy to reverse, but paying its ransom has no guarantee of decrypting the rest of your files. Since VaultCrypt deletes files that could be used to restore your data from a standard system restore, malware researchers suggest backing up all critical data on a remote storage device. Cloud services and USB devices can be used to restore your information after removing VaultCrypt.

While removing VaultCrypt, you also should take into account a secondary hazard presented by this file encryptor. Malware experts also have identified at least one component of VaultCrypt that collects passwords and other login data related to the victim's Web-browsing activities. Avoiding logging into accounts on a VaultCrypt-infected PC is a matter of self-defense, and any unauthorized access to your accounts is an immediate justification for changing all compromised login material.

Technical Details