VaultCrypt Ransomware Hides Its Traces While Stealing Web Credentials

By on

Since the beginning of the year we have seen a spike in ransomware including the emergence of new ransomware families. One family that has recently resurfaced is Vaultcrypt. This variant both tidies up after itself and steals web page login data.

Infection vector

The malware arrives on a victim’s machine through a spam email containing an attachment, as shown in this Russian example:


The attachment is a zip file containing a malicious JavaScript file. The script file may look like this:


The JavaScript contains strings such as “checked and scanned by Avast antivirus” to reassure users and appear legitimate. When a user executes the JavaScript file, it downloads a malicious .bat file along with some other files stored in %temp%. After successfully downloading the files, the JavaScript executes the batch file, which renames the downloaded files as shown:


The malware installs the tool GnuPG (GNU Private Guard), an open-source encryption utility. GnuPG generates an RSA-1024 public and private key pair to encrypt files with the following extensions:

  • .cd
  • .mdb
  • .1cd
  • .dbf
  • .sqlite
  • .jpg
  • .zip
  • .7z
  • .psd
  • .dwg
  • .cdr
  • .pdf
  • .rtf
  • .xls
  • .doc

This following screen shows the commands:


The malware does not encrypt files in the following folders:

  • windows
  • temp
  • recycle
  • program
  • appdata
  • avatar
  • roaming
  • msoffice
  • McAfee

This screen illustrates:


After successfully encrypting the files, the malware drops a .txt file onto the user’s desktop. The .txt file contains instructions, in Russian, on how to pay the ransom and decrypt the files.


The malware also executes an HTML application (.hta) containing the instructions for the user to pay the ransom:


After completing the encryption process, the malware deletes itself and all other files that were used for encryption with the Microsoft Sysinternals tool SDelete, which overwrites the deleted files or cleans the free space on a logical disk, thus making it difficult to recover those files. The following image illustrates this:

Vault.Key -p 16

As we see in the preceding image, the malware uses the switch “–p 16,” which causes 16 overwrite passes. With these repeated overwrites, it is nearly impossible to recover those deleted files using recovery tools. The following image shows the files the tool deletes.


Meanwhile, the malware downloads the Browser Password Dump tool, from SecurityXploded, from its control server. This tool extracts the victim’s stored login credentials from most web browsers. The malware uploads the stolen user credentials to its control server.

Here’s a look at the traffic:

Vault.Key TCP stream

McAfee products detect the batch file as BAT/CrypVault and the JavaScript file as JS/CrypVaultDown with DAT Version 7765 and later.

Leave a Comment

Similar articles

The risk to your family's healthcare data often begins with that piece of paper on a clipboard your physician or hospital asks you to fill out or in the online application for healthcare you completed. That data gets transferred into a computer where a patient Electronic Health Record (EHR) is created or added to. From ...
Read Blog
While biometric tools like facial ID and fingerprints have become more common when it comes to securing our data and devices, strong passwords still play an essential part in safeguarding our digital lives. This can be frustrating at times, since many of us have more accounts and passwords than we can possibly remember. This can ...
Read Blog
If you own a Mac or PC, odds are you’ve used your laptop’s Thunderbolt port to connect another device to your machine. Thunderbolt ports are convenient for charging other devices using your laptop or desktop’s battery power. However, a new flaw called Thunderclap allows attackers to steal sensitive information such as passwords, encryption keys, financial ...
Read Blog