VaultCrypt ransomware offers fake customer support

18901241_sRansomware has been the preferred tool of cyber criminals for making quick money. A new variant is in our midst known as VaultCrypt which is quite different from other encrypting malware in appearance and behavior. Unlike other ransomware that directly demand payment to unlock your encrypted data, VaultCrypt turns up the dishonesty levels even higher by pretending to direct you to customer support. This malware has been circulating in Russia since late February, but now, it is starting to spread to other parts of the world as well. Bleeping computer, with the help of members from the Emsisoft team have analysed this threat in detail.

Ransomware offers help and assurance to expedite payment

VaultCrypt gets its name from the file extension .vault. Once loaded in memory, the malware encrypts any files that it can find, changes their extension to .vault and replaces the icon with a lock symbol. When the user tries to access or open any such file, an alert pops up with an onion domain address which can only be accessed through a tor browser. This ensures that the cyber criminals remain anonymous and their actions untraceable. On visiting the webpage, the user is greeted with a login window. After entering the information (found in a vaultkey.vlt file stored locally) and logging in, the user is presented with an overview showing statistics relating to the encrypted files and the required payment amount. The website even offers the ability to chat with the hackers for help. In order to convince the user that their data can be retrieved, the website decrypts  4 of the encrypted files for free. 

It seems the cyber criminals have taken a different approach here. Instead of storming the user with threats and warnings, the hackers masquerade as customer support in order to appear more trustworthy.

The Vault: What goes in never comes out

To make sure that its task is complete, VaultCrypt uses Microsoft’s secure delete feature to completely erase the original files by overwriting them 16 times. This means they cannot be un-deleted or restored with the help of file/data recovery programs.

The greed of cyber criminals knows no bounds so to make things worse, VaultCrypt also downloads another malicious file from an onion domain which steals login data from websites visited by the user. Onion domains are known as the dark side of the web and are the birthplace of all illegal activity. Thus, the user is exposed to several other threats while trying to deal with this one.

The worst part is, it is unlikely that you will be able to recover your data from VaultCrypt without paying the ransom. This is why, once again, we emphasize the need for regular backup’s and having up to date protection. After all, it is better to be safe than sorry.

Have a nice (ransomware-free) day!