Sunday 20 December 2015

VaultCrypt: From Russia with Love

During the last several months Ukrainian Cyberpolice recorded many incidents all over the country with VaultCrypt. We decided to shed light on the issue. VaultCrypt is a cryptolocker having the similar to TeslaCrypt scheme using Tor and Bitcoins to pay a ransom, but simpler in implementation.

We analyzed the CryptVault ransomware encryption scheme trying to figure out if it is possible to get back encrypted files and found the interesting details related to the payload and the origination of this cryptolocker.

The cryptolocker’s files are downloaded from the

The domain is registered in REG.RU has been already taken down by the Cyber Police.

And saved to %temp% folder correspondingly:

  • %temp%\style.css - GPG tool для шифрования файлов
  • %temp%\doc_92f0.doc - a DOC file, where we did not find any malicious code inside
  • %temp%\vb17330200.bat - a batch file that contains the code of cryptolocker (MD5: 87c6023bf8922d84927247c15621a02e)

The code of the cryptolocker in BAT file:

It renames the GPG tool "%temp%\style.css" into "%temp%\9a17b239.exe" and execute it to generate a key pair:
  • pubring.gpg
  • secring.gpg

The public key “pubring.gpg” is used to encrypt files on a user’s computer. It is dynamically generated for every new session.

The example of the command that encrypts files is below:

"%TeMp%\9a17b239.exe" -r Cellar --yes -q --no-verbose --trust-model
always --encrypt-files "excel.xls"& move /y "excel.xls.gpg" "excel.xls"& rename "excel.xls" "excel.xls.vault"

The encrypted files have extension “.vault”.
It exports the secret key “secring.gpg” to the configuration file:
"%temp%\9a17b239.exe" -r Cellar --export-secret-keys --yes --homedir "%temp%" -a > "%temp%\0de1234e.05b90833

And adds information about the infected system and the number of infected files. This number will affect a ransom payment value. The more files have been encrypted, the higher price will be to buy the key.

Then the ransomware encrypts the configuration file using the public key stored in the Trojan’s body:

Version: GnuPG v1


After that it saves the configuration file with the secret key used to encrypt files under the name “VAULT.KEY”. A victim needs to upload this file to the decryption service in TOR network. It will be decrypted with the attacker’s private key and the decryption key or tool will be available once the ransom is paid.

Once encryption is completed, the generated key files are filled with a static trash data and deletes them. To rewrite a victim’s removed data, CryptVault uses Cipher.exe tool making it impossible to recover the removed files to extract the encryption key. See:

Then it executes .hta file to show the HTML page with the instruction in Russian on how to decrypt your files.

The decryption service interface in Tor looks as follows:

We have 41 files encrypted and the ransom we need to pay is $49 in BTC. In four days the price will be increased up to $60.

The service has the technical support page where you can ask your questions to the attacker. The working time is Mon-Fri 8:00-23:30 and Sat-Sun 9:00-22:00 by Moscow time.

Like in TeslaCrypt case you can decrypt four files for free to test the service.

Once it is paid, you can download the decryption key or decryption tool:

Once more time we can see that the combination of Tor network and Bitcoins makes attackers untraceable. And asymmetric cryptography with file shredders leaves no chance to help victims of such type of attacks other than pay the ransom. The detection ratio 15/55 on Virustotal tells that not all antiviruses are equally good.

No comments:

Post a Comment