VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials

By on

Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families. One family that has recently resurfaced is Vaultcrypt. This variant both tidies up after itself and steals web page login data.

Infection vector

The malware arrives on a victim’s machine through a spam email containing an attachment, as shown in this Russian example:


The attachment is a zip file containing a malicious JavaScript file. The script file may look like this:


The JavaScript contains strings such as “checked and scanned by Avast antivirus” to reassure users and appear legitimate. When a user executes the JavaScript file, it downloads a malicious .bat file along with some other files stored in %temp%. After successfully downloading the files, the JavaScript executes the batch file, which renames the downloaded files as shown:


The malware installs the tool GnuPG (GNU Private Guard), an open-source encryption utility. GnuPG generates an RSA-1024 public and private key pair to encrypt files with the following extensions:

  • .cd
  • .mdb
  • .1cd
  • .dbf
  • .sqlite
  • .jpg
  • .zip
  • .7z
  • .psd
  • .dwg
  • .cdr
  • .pdf
  • .rtf
  • .xls
  • .doc

This following screen shows the commands:


The malware does not encrypt files in the following folders:

  • windows
  • temp
  • recycle
  • program
  • appdata
  • avatar
  • roaming
  • msoffice
  • McAfee

This screen illustrates:


After successfully encrypting the files, the malware drops a .txt file onto the user’s desktop. The .txt file contains instructions, in Russian, on how to pay the ransom and decrypt the files.


The malware also executes an HTML application (.hta) containing the instructions for the user to pay the ransom:


After completing the encryption process, the malware deletes itself and all other files that were used for encryption with the Microsoft Sysinternals tool SDelete, which overwrites the deleted files or cleans the free space on a logical disk, thus making it difficult to recover those files. The following image illustrates this:

Vault.Key -p 16

As we see in the preceding image, the malware uses the switch “–p 16,” which causes 16 overwrite passes. With these repeated overwrites, it is nearly impossible to recover those deleted files using recovery tools. The following image shows the files the tool deletes.


Meanwhile, the malware downloads the Browser Password Dump tool, from SecurityXploded, from its control server. This tool extracts the victim’s stored login credentials from most web browsers. The malware uploads the stolen user credentials to its control server.

Here’s a look at the traffic:

Vault.Key TCP stream

McAfee products detect the batch file as BAT/CrypVault and the JavaScript file as JS/CrypVaultDown with DAT Version 7765 and later.

Leave a Comment

Similar articles

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can ...
Read Blog
This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download ...
Read Blog
Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a ...
Read Blog