Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families. One family that has recently resurfaced is Vaultcrypt. This variant both tidies up after itself and steals web page login data.
The malware arrives on a victim’s machine through a spam email containing an attachment, as shown in this Russian example:
The malware installs the tool GnuPG (GNU Private Guard), an open-source encryption utility. GnuPG generates an RSA-1024 public and private key pair to encrypt files with the following extensions:
This following screen shows the commands:
The malware does not encrypt files in the following folders:
This screen illustrates:
After successfully encrypting the files, the malware drops a .txt file onto the user’s desktop. The .txt file contains instructions, in Russian, on how to pay the ransom and decrypt the files.
The malware also executes an HTML application (.hta) containing the instructions for the user to pay the ransom:
After completing the encryption process, the malware deletes itself and all other files that were used for encryption with the Microsoft Sysinternals tool SDelete, which overwrites the deleted files or cleans the free space on a logical disk, thus making it difficult to recover those files. The following image illustrates this:
As we see in the preceding image, the malware uses the switch “–p 16,” which causes 16 overwrite passes. With these repeated overwrites, it is nearly impossible to recover those deleted files using recovery tools. The following image shows the files the tool deletes.
Meanwhile, the malware downloads the Browser Password Dump tool, from SecurityXploded, from its control server. This tool extracts the victim’s stored login credentials from most web browsers. The malware uploads the stolen user credentials to its control server.
Here’s a look at the traffic: