Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VaultCrypt uses batch files and open source GnuPG to hold your files hostage


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,701 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:58 PM

Posted 17 March 2015 - 08:32 AM

A ransomware called VaultCrypt has been circulating in Russia since the end of February and is starting to make its way to English speaking regions. The interesting features of this ransomware are its use of Windows batch files and the open source GnuPG privacy software to power a very effective file encryption technique. Add a sophisticated payment site and you have a ransomware that is something to be concerned about. At this point the ransomware is not 100% ready for English speaking countries due to the large amount of Russian utilized in the ransom notes and the Command & Control server. At the same time, there are English instructions spread throughout the payment site, so we can expect more English speaking targeting to occur in the near future.

We were first alerted to this ransomware by Xtrania Technology Solutions in Calgary, Canada who had a customer whose files were encrypted and had .vault appended to each encrypted file's name. What was strange was that there was no apparent ransom note explaining what had happened to their files and how to get them back. After being given access to the infected machine, we were able to see that instead of using ransom notes, this ransomware would modify the registry to include a new .vault extension and that changes an encrypted files icon to a lock.
 

encrypted-file.jpg
VaultCrypt Alert


When you double-clicked on a Vault file, instead of the file opening, an alert would be shown stating that the file was "Stored in Vault" and that you needed to go to restoredz4xpmuqr.onion to get the key.
 

alert.jpg
VaultCrypt Alert


This alert is displayed by creating a new .vault extension in the Windows Registry that executes the following code whenever a .vault file was double-clicked.
 
mshta.exe vbscript:Execute("msgbox "" STORED IN VAULT:""&vbNewLine&"" %1""&vbNewLine&vbNewLine&ChrW(10139)&"" Visit for key: http://restoredz4xpmuqr.onion""&vbNewLine&vbNewLine&"" [accessible only via Tor Browser: http://torproject.org]"",16,""VaultCrypt [Permission Error: No Key]"":close")
Though we have not been able to find a dropper, we were able to find the main script that is the power behind VaultCrypt. On analyzing the script we quickly realized that VaultCrypt was essentially one large Windows batch file utilizing VBS scripts and free software such as GnuPG and sDelete to encrypt data files and hold them hostage.

When first infected, the batch file would run and generate a unique RSA 1024 public and private key pair labeled Cellar using GnuPG. VaultCrypt would then use GnuPG and the Cellar public encryption key to encrypt any files that matched the *.xls,*.doc,*.pdf, *.rtf,*.psd, *.dwg, *.cdr,*.cd, *.mdb, *.1cd, *.dbf, *.sqlite,*.jpg,*.zip file extensions.
 

encrypt-routine-src.jpg
Encryption subroutine for the cd, mdb, 1cd, dbf, and sqlite data files


When VaultCrypt encrypted your data files it would only encrypt data files if they were not in certain folder as shown in the image below. Some of the folders that it would not encrypt include Windows, msoffice, Intel, and framework64. This was probably done to prevent files from being encrypted that could cause Windows to not boot properly. While the data was being encrypted, it would also create a batch file that would execute a command to delete all Shadow Volume Copies on the computer. This is done so that you cannot use Shadow Volumes to restore your unencrypted files.
 

remove-shadows.jpg
The creation of a VBS file that deletes all of the Shadow Volume Copies.


During this process, VaultCrypt would also export the private decryption needed to decrypt your files and save it in a vaultkey.vlt file. Other information such as configuration information, computer names, and the number of encrypted files per extension would be stored in this file as well. This information will be used to personalize your page on the payment site as well to give statistical information as to the percentages of file types that were encrypted

Finally, in order to make it so the victim cant retrieve their private key from the vaultkey.vlt file VaultCrypt encrypts it using a master public key that is the same for all VaultCrypt victims. This encrypted file is then saved as %AppData%\VAULT.KEY. This approach of using one master encryption key to encrypt each specific user's key file makes it easier for the malware developer as they only have to know the single private decryption key that is the same for everyone. VaultCrypt will also encrypt the CONFIRMATION.KEY file, which contains a list of all the encrypted files, using the same master public key.

To add insult to injury, VaultCrypt will then download a file from tj2es2lrxelpknfp.onion.city and save it as ssl.exe on the infected computer. This file is a Browser Password Dump that VaultCrypt will use to try to steal login information for the sites you visit. This resulting list of account information will be saved in cookie.vlt and uploaded back to the tj2es2lrxelpknfp.onion site.

As a last security measure, VaultCrypt will use Microsoft's sDelete program to securely delete any files used by the encryption process using 16 overwrites. This makes it almost impossible to recover the created key files using file recovery tools. To finish, VaultCrypt will then add various registry entries that will automatically display ransom notes when a user logs into Windows.

The Command & Control server, located at http://restoredz4xpmuqr.onion, is quite sophisticated. When you first go to the C2 server you will be greeted with a login and registration prompt. To register, you simply need to upload the VAULT.KEY file from an infected computer and it will automatically authorize you and generate a login id and password that you can use in the future.
 

decryption-site-login.jpg
Login page for the VaultCrypt Payment Site


Once logged in you will be presented with a news ticker, a variety of information about your encrypted files, how much you need to pay to get your files back, and the ability to chat with the malware developers if you need help.
 

decryption-site-main-page.jpg
VaultCrypt Payment Site


As you can see from the screenshots, most of the information is presented in Russian, though there are some pages that contain English as well as links to English instructions on pastebin. Finally, like most other current ransomware infection, VaultCrypt provides the ability to restore 4 files for free as proof that it is able to do so.
 

four-free-decryptions-page.jpg
Free Decryption Page


Unfortunately, at this time there is no way to decrypt the files for free without first obtaining the master private decryption key, which is known only by the malware developer. As this is not likely to happen any time soon, the only options are to restore your data via backup or to attempt to use a file recovery tool. As VaultCrypt does not securely delete files there is a chance you can recover your original unencrypted data files using file recovery programs such as R-Studio, Photorec, or Recuva.

A big thanks to Fabian Wosar for tracking down the script on pastebin!

Files associated with VaultCrypt:
 
%appdata%\CONFIRMATION.KEY
%appdata%\VAULT.hta
%appdata%\VAULT.KEY
%Desktop%\vault.txt
Registry entries associated with VaultCrypt:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vltnotify "mshta %appdata%\VAULT.hta"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VAULT Notification "mshta %appdata%\VAULT.hta"


BC AdBot (Login to Remove)

 


#2 zingo156

zingo156

  • BC Advisor
  • 3,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 17 March 2015 - 09:20 AM

So far it seems like there are about 2 new ransomware threats every month. I think in January there were at least 4. These are here to stay. We all need to learn to do cold backups frequently for data that is important. EDIT: or use backup software on the cloud that has versioning etc.


Edited by zingo156, 17 March 2015 - 09:25 AM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Malware Study Hall Senior
  • 1,098 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:28 PM

Posted 17 March 2015 - 02:02 PM

These guys seem to be more systematic and professional than the English counterparts. They've even open sourced main code! Anyway, another headache.
As usual, any idea how this comes into play (get infected)?
.

Symantec's Noscript may be of help to prevent those .bat files from executing.
.
.
@ zingo156,
You're right.

I think in January there were at least 4.

Well, that was the 'new year bonanza'! ;) :P

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!

                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

Help Bleeping Computer defend its freedom of speech (over internet) against ESG


#4 zingo156

zingo156

  • BC Advisor
  • 3,321 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:58 AM

Posted 17 March 2015 - 02:06 PM

They didn't find the dropper (means of infection) according to Grinler:

Though we have not been able to find a dropper

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Malware Study Hall Senior
  • 1,098 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:28 PM

Posted 17 March 2015 - 02:17 PM

Ah, Thanks. :)
I missed it.

Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!

                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

Help Bleeping Computer defend its freedom of speech (over internet) against ESG


#6 Uselesslight

Uselesslight

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Armstrong, BC
  • Local time:10:58 AM

Posted 17 March 2015 - 02:47 PM

It's great to be able to read about this, but isn't it a concern to have this all available as public information? Malicious writers are all using this research against us all in the fight against these types of infections. Shouldn't it be private communication to pass the knowledge around to minimize the advantages our competition has over us?

I think it was actually quoted on here a while ago from Grinler saying "Kindly shut the hell up" lol

#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,701 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:58 PM

Posted 17 March 2015 - 03:03 PM

All of this is already up on pastebin before we got to it. We are not disclosing anything that wasn't already disclosed.

#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:58 AM

Posted 20 March 2015 - 09:59 AM

Hi Grinler, so what is the ransomware name? VaultCrypt or CryptVault?

 

 

 

A ransomware called VaultCrypt has been circulating in Russia since the end of February and is starting to make its way to English speaking regions. 

 

 

 

Files associated with CryptVault:

 

Thank you.


Help BleepingComputer Defend Freedom of Speech.

 

If I don't reply back to you in 2 days, feel free to send me a PM.
 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,701 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:58 PM

Posted 20 March 2015 - 10:46 AM

VaultCrypt. Fixed the typo.

#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,086 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:58 AM

Posted 20 March 2015 - 10:47 AM

VaultCrypt. Fixed the typo.

 

Thanks Grinler! :)


Help BleepingComputer Defend Freedom of Speech.

 

If I don't reply back to you in 2 days, feel free to send me a PM.
 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 mike 1

mike 1

  • Members
  • 180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Russia, Moscow
  • Local time:09:58 PM

Posted 22 March 2015 - 06:54 AM

Files associated with VaultCrypt:

 

i will add:

 

%Temp%\revault.js

%Temp%\svchost.exe

 

Registry entries associated with VaultCrypt:

 

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vltexec

 

topic: http://virusinfo.info/showthread.php?t=179098

 

after infection, it is recommended to change the passwords.


Edited by mike 1, 22 March 2015 - 06:57 AM.

Ем мышек

My processor AMD Athlon™ X4 860K, 4 cores   :deadhorse:





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users