New ransomware makes encrypted files appear quarantined

The encrypted files are appended by a .vault extension, which makes them appear quarantined.
The encrypted files are appended by a .vault extension, which makes them appear quarantined.

A new ransomware variant detected by Trend Micro as BAT_CRYPVAULT.A, or CRYPVAULT, is being distributed as an attachment in spam emails and is targeting mostly Russian speakers.

The ransomware has been observed encrypting files and then making them appear as if they were quarantined, according to a Monday post by Michael Marcos, threat response engineer with Trend Micro. Specifically, the files are appended by a .vault extension.

“The act of disguising the users' encrypted files as quarantined files possibly aims to raise urgency for users to take action on their files,” Marcos told SCMagazine.com in a Monday email correspondence, going on to add, “Appending a .vault file extension can also be used as a marker for the malware to know that the file is already encrypted.”

When executed, CRYPVAULT installs an open source encryption tool, GNU Privacy Guard (GnuPG), which generates an RSA-1024 public and private key pair that encrypts files with numerous extensions, including .doc, .pdf, .rtf, .jpg, and .zip, the post indicates. The ransomware then appends the .vault file extension to encrypted files.

Upon attempting to open an encrypted and locked file, a prompt appears that instructs victims on how to go about paying the ransom, according to the post. Additionally, a text file downloaded by the malware provides instructions, and the attached file name, ransom note and ransomware support portal are in the Russian language.

To ensure victims cannot unlock their files without paying the ransom, CRYPVAULT uses a Microsoft tool known as SDelete to delete key files used in the encryption process, including ‘secring.gpg,' ‘vaultkey.vlt,' and ‘confclean.lst,' Marcos wrote in the post, adding that the ransomware uses 16 overwrite passes.

“This means that the malware makes sure that the decryption key is irrecoverable on the affected system by data recovery tools,” Marcos said.

Additionally, CRYPVAULT downloads and executes the Browser Password Dump hacking tool, which extracts stored login passwords from various browsers, including Firefox, Internet Explorer, Chrome, Safari and Opera, the post notes.

Particularly interesting for Marcos is that CRYPVAULT is not coded using a programming language such as C++, C# or .NET, he said.

“The ransomware is written in a batch script (the script is executed line per line in the command line/MS-Prompt),” Marcos said. “It did not import any libraries or can create functions. The commands were executed from top to bottom.”

He added, “The ransomware is purely written in scripts – JavaScript for the downloader and batch script for the ransomware. The components that come with the malware do the bulk of the malicious routines. This shows how easy one can make a ransomware. Other crypto-ransomware variants coded their encryption routines.”

Marcos suggested not paying the ransom because there is no guarantee that the correct keys will be provided – instead, he said the best option is to rebuild from a recent backup.

The malware was analyzed and discussed last month on BleepingComputer.com, where the ransomware was referred to as VaultCrypt and was said to be making its way to English speaking regions. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS