|Encryption Type||Gnupg encryption tool, RSA-2048|
|Short Description||This ransomware called Vault Crypt has been coursing in Russia since the end of February. The fascinating elements of this ransomware are its utilization of Windows batch files and the open source GnuPG privacy software to control an exceptionally compelling document encryption strategy|
|Symptoms||The ecnrypted files become inaccessible, when the files are opened a ransom note will be displayed.|
|Distribution Method||Spam email|
This ransomware called Vault Crypt has been coursing in Russia since the end of February. The fascinating elements of this ransomware are its utilization of Windows batch files and the open source GnuPG privacy software to control an exceptionally compelling document encryption strategy. Include a modern sophisticated payment site and you have a ransomware that is something to be worried about. Now the ransomware is not 100% prepared for English talking nations because of the substantial measure of Russian used in the payoff notes and the Command and Control server. In the meantime, there are English directions spread all through the payment site, so we can expect more English talking focusing to happen sooner rather than later.This has the capacity to hide its traces while stealing the web credentials too from the victim.
Once loaded in memory, the malware encrypts the files that are in the victims computer and changes their extension into another format the format of the encrypted files resembles will be in .vault format and then replaces the icon with a lock symbol. If the user tries to open the encrypted file it redirects them wit an onion domain address , this is done in order to make the activities anonymous. On visiting this website, the user is greeted with the login window. This website also has customer support in order to interact with the victim. Instead of storming the user with warnings, the hackers have implemented the customer support to make them more trustworthy and to pay the ransom. In this website 4-5 encrypted files are decrypted and given as a sample to the victims.
This also does a specific function to make sure that the victim does not get the files until or unless he pays the ransom, this uses the micorsoft’s delete feature to completely erase the real file by overwritten on them more than 16 times. This is said to be one of the storming ransomware compared to others.
The ransomware is received by spam mail to the victim. Once the victim clicks on it the ransomware starts its action , this attachment has a JS file that runs in the background process.
The ransomware scans the PC and encrypts the following extension from the victim’s computer.
The process how the encryption are done can be seen in the figure, after encrypting the file this ransomware drops the .txt file into the user desktpop that contains instruction on how to pay the ransom and other things.