VaultCrypt

Posted: March 18, 2015

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	2,225

First Seen:	March 20, 2015
Last Seen:	May 2, 2022
OS(es) Affected:	Windows

VaultCrypt is a file encryptor Trojan that uses a combination of Visual Basic scripts, batch files and third-party freeware to encrypt your files, rendering them unusable until you pay a Bitcoin fee to its admins. While previously seen distributed towards Russian PC users, VaultCrypt now is beginning to make headway in Canada and other, English-speaking regions, although much of its well-developed infrastructure still is in a transitional state. Despite the inherent difficulties in recovering files from this threat, paying its ransom is not a course of action malware experts would recommend, particularly since a reliable file backup system can make its attacks irrelevant.

The Vault Where Your Files go to Die

VaultCrypt is a showcase of how an advanced file encryption Trojan is achievable without relying on obtuse tools. The majority of VaultCrypt's components consist of VBS scripting content implemented via batch files. VaultCrypt also uses some additional programs, such as sDelete (AKA Secure Delete, a file removal program) and GnuPG (a free data encryptor). Although the latter software is neither illicit nor threatening, they have few safeguards against being exploited in illegitimate ways, as VaultCrypt shows in campaigns throughout Russia and, now, other countries.

VaultCrypt targets files of appropriate types, using GnPG to encrypt them and make them unreadable. Simultaneously, these files have their names appended with the '.vault' suffix, which lets victims identify the affected files visually. VaultCrypt's current settings allow VaultCrypt to ignore files in any Windows-critical folders that could, when encrypted, harm your operating system. However, malware experts found files in other locations readily affected, with major types including:

Archives, such as .ZIP.
Microsoft Office files, such as .XLS and .DOC.
Adobe .PDF files.
VoIP files, such as .CDR.
JPEGs and other images.

Although VaultCrypt doesn't generate a ransom note TXT file, VaultCrypt does issue an alternate ransom demand. PC users who click any of VaultCrypt's encrypted files see an automatic pop-up that recommends the use of VaultCrypt's website via the Tor Browser. This site holds the Bitcoin-based ransom process, a 'sample' decryption service that can restore up to four files and a working chat interface.

Burying a Threat to Your Files

VaultCrypt takes several steps to prevent its encryption process from being easy to reverse, but paying its ransom has no guarantee of decrypting the rest of your files. Since VaultCrypt deletes files that could be used to restore your data from a standard system restore, malware researchers suggest backing up all critical data on a remote storage device. Cloud services and USB devices can be used to restore your information after removing VaultCrypt.

While removing VaultCrypt, you also should take into account a secondary hazard presented by this file encryptor. Malware experts also have identified at least one component of VaultCrypt that collects passwords and other login data related to the victim's Web-browsing activities. Avoiding logging into accounts on a VaultCrypt-infected PC is a matter of self-defense, and any unauthorized access to your accounts is an immediate justification for changing all compromised login material.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 163.84 KB (163840 bytes)
MD5: 63c9f1c424b8eaf2334bfb0b8f86ff5e
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 17, 2016

vault.js

File name: vault.js
Size: 1.85 KB (1853 bytes)
MD5: 370eb368fc244ac3c9baf2cd0028f8e7
Detection count: 46
File type: JavaScript file
Mime Type: unknown/js
Group: Malware file
Last Updated: March 23, 2015

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

File name: VAULT.hta
Size: 5 KB (5006 bytes)
MD5: 1a4912c6623aaf08ae00e19e839c2e6c
Detection count: 23
Mime Type: unknown/hta
Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 28, 2017

More files

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\vltexecSoftware\Microsoft\Windows\CurrentVersion\Run\vltnotify