We were first alerted to this ransomware by Xtrania Technology Solutions in Calgary, Canada who had a customer whose files were encrypted and had .vault appended to each encrypted file's name. What was strange was that there was no apparent ransom note explaining what had happened to their files and how to get them back. After being given access to the infected machine, we were able to see that instead of using ransom notes, this ransomware would modify the registry to include a new .vault extension and that changes an encrypted files icon to a lock.
When you double-clicked on a Vault file, instead of the file opening, an alert would be shown stating that the file was "Stored in Vault" and that you needed to go to restoredz4xpmuqr.onion to get the key.
This alert is displayed by creating a new .vault extension in the Windows Registry that executes the following code whenever a .vault file was double-clicked.
mshta.exe vbscript:Execute("msgbox "" STORED IN VAULT:""&vbNewLine&"" %1""&vbNewLine&vbNewLine&ChrW(10139)&"" Visit for key: http://restoredz4xpmuqr.onion""&vbNewLine&vbNewLine&"" [accessible only via Tor Browser: http://torproject.org]"",16,""VaultCrypt [Permission Error: No Key]"":close")Though we have not been able to find a dropper, we were able to find the main script that is the power behind VaultCrypt. On analyzing the script we quickly realized that VaultCrypt was essentially one large Windows batch file utilizing VBS scripts and free software such as GnuPG and sDelete to encrypt data files and hold them hostage.
When first infected, the batch file would run and generate a unique RSA 1024 public and private key pair labeled Cellar using GnuPG. VaultCrypt would then use GnuPG and the Cellar public encryption key to encrypt any files that matched the *.xls,*.doc,*.pdf, *.rtf,*.psd, *.dwg, *.cdr,*.cd, *.mdb, *.1cd, *.dbf, *.sqlite,*.jpg,*.zip file extensions.
Encryption subroutine for the cd, mdb, 1cd, dbf, and sqlite data files
When VaultCrypt encrypted your data files it would only encrypt data files if they were not in certain folder as shown in the image below. Some of the folders that it would not encrypt include Windows, msoffice, Intel, and framework64. This was probably done to prevent files from being encrypted that could cause Windows to not boot properly. While the data was being encrypted, it would also create a batch file that would execute a command to delete all Shadow Volume Copies on the computer. This is done so that you cannot use Shadow Volumes to restore your unencrypted files.
The creation of a VBS file that deletes all of the Shadow Volume Copies.
During this process, VaultCrypt would also export the private decryption needed to decrypt your files and save it in a vaultkey.vlt file. Other information such as configuration information, computer names, and the number of encrypted files per extension would be stored in this file as well. This information will be used to personalize your page on the payment site as well to give statistical information as to the percentages of file types that were encrypted
Finally, in order to make it so the victim cant retrieve their private key from the vaultkey.vlt file VaultCrypt encrypts it using a master public key that is the same for all VaultCrypt victims. This encrypted file is then saved as %AppData%\VAULT.KEY. This approach of using one master encryption key to encrypt each specific user's key file makes it easier for the malware developer as they only have to know the single private decryption key that is the same for everyone. VaultCrypt will also encrypt the CONFIRMATION.KEY file, which contains a list of all the encrypted files, using the same master public key.
To add insult to injury, VaultCrypt will then download a file from tj2es2lrxelpknfp.onion.city and save it as ssl.exe on the infected computer. This file is a Browser Password Dump that VaultCrypt will use to try to steal login information for the sites you visit. This resulting list of account information will be saved in cookie.vlt and uploaded back to the tj2es2lrxelpknfp.onion site.
As a last security measure, VaultCrypt will use Microsoft's sDelete program to securely delete any files used by the encryption process using 16 overwrites. This makes it almost impossible to recover the created key files using file recovery tools. To finish, VaultCrypt will then add various registry entries that will automatically display ransom notes when a user logs into Windows.
The Command & Control server, located at http://restoredz4xpmuqr.onion, is quite sophisticated. When you first go to the C2 server you will be greeted with a login and registration prompt. To register, you simply need to upload the VAULT.KEY file from an infected computer and it will automatically authorize you and generate a login id and password that you can use in the future.
Login page for the VaultCrypt Payment Site
Once logged in you will be presented with a news ticker, a variety of information about your encrypted files, how much you need to pay to get your files back, and the ability to chat with the malware developers if you need help.
VaultCrypt Payment Site
As you can see from the screenshots, most of the information is presented in Russian, though there are some pages that contain English as well as links to English instructions on pastebin. Finally, like most other current ransomware infection, VaultCrypt provides the ability to restore 4 files for free as proof that it is able to do so.
Free Decryption Page
Unfortunately, at this time there is no way to decrypt the files for free without first obtaining the master private decryption key, which is known only by the malware developer. As this is not likely to happen any time soon, the only options are to restore your data via backup or to attempt to use a file recovery tool. As VaultCrypt does not securely delete files there is a chance you can recover your original unencrypted data files using file recovery programs such as R-Studio, Photorec, or Recuva.
A big thanks to Fabian Wosar for tracking down the script on pastebin!
Files associated with VaultCrypt:
%appdata%\CONFIRMATION.KEY %appdata%\VAULT.hta %appdata%\VAULT.KEY %Desktop%\vault.txtRegistry entries associated with VaultCrypt:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vltnotify "mshta %appdata%\VAULT.hta" HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VAULT Notification "mshta %appdata%\VAULT.hta"