Home Malware Programs Ransomware VaultCrypt

VaultCrypt

Posted: March 18, 2015

Threat Metric

Threat Level: 10/10
Infected PCs: 2,225
First Seen: March 20, 2015
Last Seen: May 2, 2022
OS(es) Affected: Windows

VaultCrypt is a file encryptor Trojan that uses a combination of Visual Basic scripts, batch files and third-party freeware to encrypt your files, rendering them unusable until you pay a Bitcoin fee to its admins. While previously seen distributed towards Russian PC users, VaultCrypt now is beginning to make headway in Canada and other, English-speaking regions, although much of its well-developed infrastructure still is in a transitional state. Despite the inherent difficulties in recovering files from this threat, paying its ransom is not a course of action malware experts would recommend, particularly since a reliable file backup system can make its attacks irrelevant.

The Vault Where Your Files go to Die

VaultCrypt is a showcase of how an advanced file encryption Trojan is achievable without relying on obtuse tools. The majority of VaultCrypt's components consist of VBS scripting content implemented via batch files. VaultCrypt also uses some additional programs, such as sDelete (AKA Secure Delete, a file removal program) and GnuPG (a free data encryptor). Although the latter software is neither illicit nor threatening, they have few safeguards against being exploited in illegitimate ways, as VaultCrypt shows in campaigns throughout Russia and, now, other countries.

VaultCrypt targets files of appropriate types, using GnPG to encrypt them and make them unreadable. Simultaneously, these files have their names appended with the '.vault' suffix, which lets victims identify the affected files visually. VaultCrypt's current settings allow VaultCrypt to ignore files in any Windows-critical folders that could, when encrypted, harm your operating system. However, malware experts found files in other locations readily affected, with major types including:

  • Archives, such as .ZIP.
  • Microsoft Office files, such as .XLS and .DOC.
  • Adobe .PDF files.
  • VoIP files, such as .CDR.
  • JPEGs and other images.

Although VaultCrypt doesn't generate a ransom note TXT file, VaultCrypt does issue an alternate ransom demand. PC users who click any of VaultCrypt's encrypted files see an automatic pop-up that recommends the use of VaultCrypt's website via the Tor Browser. This site holds the Bitcoin-based ransom process, a 'sample' decryption service that can restore up to four files and a working chat interface.

Burying a Threat to Your Files

VaultCrypt takes several steps to prevent its encryption process from being easy to reverse, but paying its ransom has no guarantee of decrypting the rest of your files. Since VaultCrypt deletes files that could be used to restore your data from a standard system restore, malware researchers suggest backing up all critical data on a remote storage device. Cloud services and USB devices can be used to restore your information after removing VaultCrypt.

While removing VaultCrypt, you also should take into account a secondary hazard presented by this file encryptor. Malware experts also have identified at least one component of VaultCrypt that collects passwords and other login data related to the victim's Web-browsing activities. Avoiding logging into accounts on a VaultCrypt-infected PC is a matter of self-defense, and any unauthorized access to your accounts is an immediate justification for changing all compromised login material.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4167 bytes)
MD5: 207f6a7cf5933e00b575c7243ebef2f1
Detection count: 194
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: November 14, 2021
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4165 bytes)
MD5: 1cf60361078e1c2f1219d27c4b3e760c
Detection count: 185
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: May 4, 2021
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.12 KB (4121 bytes)
MD5: c7e7c1a8ebd606638b7e89dc0daef677
Detection count: 169
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: July 6, 2016
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 5 KB (5004 bytes)
MD5: a4e778c80f2fb7a12253070aaedceb1d
Detection count: 98
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: October 26, 2019
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4169 bytes)
MD5: c478ef858ae078f68520cd5493d52c78
Detection count: 86
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 14.53 KB (14536 bytes)
MD5: 29754b1e157b7e2658fee20546f1385e
Detection count: 84
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.28 KB (4289 bytes)
MD5: 50ce889104fb97f0ce64108e91a14dba
Detection count: 80
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: December 23, 2018
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.29 KB (4296 bytes)
MD5: f2ad12c745bb55e0a3600fe1b47eb72d
Detection count: 75
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4163 bytes)
MD5: 99f8ac62c7e84cb5ea0e43004555b800
Detection count: 70
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.99 KB (4998 bytes)
MD5: 10196fbf29c1dc6916633dc1ee71ed8d
Detection count: 70
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 5.02 KB (5028 bytes)
MD5: fc397b0266aec242714194bdf4938831
Detection count: 59
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.09 KB (4097 bytes)
MD5: 520002e0fb095fea87c5c9e1bcaff90f
Detection count: 52
Mime Type: unknown/hta
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: September 4, 2018
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4167 bytes)
MD5: 9340624438179b75aeafee270259684b
Detection count: 52
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.1 KB (4109 bytes)
MD5: 8d6277f6c65e31272c4af4058d68d986
Detection count: 42
Mime Type: unknown/hta
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta
Group: Malware file
Last Updated: June 26, 2020
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.29 KB (4293 bytes)
MD5: e1fb0534c3edd45eed7bf29e61110723
Detection count: 28
Mime Type: unknown/hta
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: June 14, 2016
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.17 KB (4173 bytes)
MD5: 7145e1cefed8cea6ded086dc888e95a5
Detection count: 28
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4163 bytes)
MD5: 220c94d6f9537e00ed18ffa2609da9a9
Detection count: 28
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 5 KB (5006 bytes)
MD5: 1a4912c6623aaf08ae00e19e839c2e6c
Detection count: 23
Mime Type: unknown/hta
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4165 bytes)
MD5: d4b7e4b65820162201a4eb151ffc1287
Detection count: 21
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.15 KB (4151 bytes)
MD5: c0b1e17fea1244fa5d996aa7493c4957
Detection count: 21
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 4.08 KB (4087 bytes)
MD5: 0bd2e3e16476704b5f1ebd7dfee21e2e
Detection count: 16
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 6, 2016
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.16 KB (4169 bytes)
MD5: 0fd543248a2eea14e74f5a9c281fc8ee
Detection count: 14
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%APPDATA%\VAULT.hta File name: VAULT.hta
Size: 4.18 KB (4187 bytes)
MD5: 3f0f572625cc70b281491875242ab391
Detection count: 14
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 28, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta File name: VAULT.hta
Size: 5.02 KB (5028 bytes)
MD5: 86e51c7b49f33386712197164a65dac0
Detection count: 12
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\vltexecSoftware\Microsoft\Windows\CurrentVersion\Run\vltnotify
Loading...