VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials

Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families. One family that has recently resurfaced is Vaultcrypt. This variant both tidies up after itself and steals web page login data.

Infection vector

The malware arrives on a victim’s machine through a spam email containing an attachment, as shown in this Russian example:


The attachment is a zip file containing a malicious JavaScript file. The script file may look like this:


The JavaScript contains strings such as “checked and scanned by Avast antivirus” to reassure users and appear legitimate. When a user executes the JavaScript file, it downloads a malicious .bat file along with some other files stored in %temp%. After successfully downloading the files, the JavaScript executes the batch file, which renames the downloaded files as shown:


The malware installs the tool GnuPG (GNU Private Guard), an open-source encryption utility. GnuPG generates an RSA-1024 public and private key pair to encrypt files with the following extensions:

  • .cd
  • .mdb
  • .1cd
  • .dbf
  • .sqlite
  • .jpg
  • .zip
  • .7z
  • .psd
  • .dwg
  • .cdr
  • .pdf
  • .rtf
  • .xls
  • .doc

This following screen shows the commands:


The malware does not encrypt files in the following folders:

  • windows
  • temp
  • recycle
  • program
  • appdata
  • avatar
  • roaming
  • msoffice
  • McAfee

This screen illustrates:


After successfully encrypting the files, the malware drops a .txt file onto the user’s desktop. The .txt file contains instructions, in Russian, on how to pay the ransom and decrypt the files.


The malware also executes an HTML application (.hta) containing the instructions for the user to pay the ransom:


After completing the encryption process, the malware deletes itself and all other files that were used for encryption with the Microsoft Sysinternals tool SDelete, which overwrites the deleted files or cleans the free space on a logical disk, thus making it difficult to recover those files. The following image illustrates this:

Vault.Key -p 16

As we see in the preceding image, the malware uses the switch “–p 16,” which causes 16 overwrite passes. With these repeated overwrites, it is nearly impossible to recover those deleted files using recovery tools. The following image shows the files the tool deletes.


Meanwhile, the malware downloads the Browser Password Dump tool, from SecurityXploded, from its control server. This tool extracts the victim’s stored login credentials from most web browsers. The malware uploads the stolen user credentials to its control server.

Here’s a look at the traffic:

Vault.Key TCP stream

McAfee products detect the batch file as BAT/CrypVault and the JavaScript file as JS/CrypVaultDown with DAT Version 7765 and later.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top