.Vault File Extension Malware

Colloquially referred to as Vault File Extension Ransomware, detected by security company Trend Micro as BAT_CRYPVAULT.A, VaultCrypt is a new type of Crypto Ransomware which has been plaguing Russian Internet users since the first months of this year. Recently, in an obvious effort to expand their cybercriminal operations to a broader, more profitable international market, the threat actors have launched (for now limited) campaigns targeting potential victims across the Globe.

Propagation Vector

Vault File Extension Ransomware is distributed as an attachment to spam e-mails (it remains uncovered yet whether a specific Botnet has been employed to conduct the campaigns) designed to mislead users into believing they are sent by a reputable financial institution. The file appended to the messages is a malicious JavaScript which upon execution downloads a few additional items from hackers’ Command and Control (C&C) server: VaultCrypt batch file, Microsoft SDelete and GnuPG.

Since VaultCrypt’s operators evidently plan to spread the malware as widely as possible, the implementation of more propagation methods is expected. Considering their huge infection success rates, drive-by downloads and malvertising are the techniques which the hackers are most likely to employ in their forthcoming illicit endeavors.

What Exactly Does Vault File Extension Ransomware Do?

File Encryption

After downloading all components from its Command and Control server, the JavaScript executes the batch file which in its turn installs the GNU Private Guard encryption tool. Subsequently, using the utility the malware creates a pair of RSA-1024 keys, a public and a private one, with which it begins to encipher various files such as .xls, .doc, .psd, . Pdf,, .jpg, .zip, etc., adding the vault file extension to their names upon completion. It is curious to note that in order to avoid system failure, VaultCrypt deliberately doesn’t modify files held in important Windows folders such as windows, temp, appdata, roaming, intel, etc. After the procedure is finished, the private decryption key, which is the only way to restore access to the locked data, is stored in a vaultkey.vlt file together with additional, victim identification-relevant information. As a last, unwarranted decryption-preventing measure, the vaultkey.vlt is encrypted with a master public key (universal for all affected users), and recorded as VAULT.KEY.

Ransom Notes

Vault File Extension Ransomware provides each separate encrypted file with an error dialog which is prompted whenever an encrypted file is opened, and requests users to visit a Dark Net website in order to purchase their decryption key. Detailed instructions on how exactly to install TOR browser, upload VAULT.KEY as a verification, pay the ransom fee and regain access to locked data are included in a .txt file stored on the desktop and an html page launched into direct display.

The “Customer Friendly” Cybercriminals

Interestingly, the creators of Vault File Extension Ransomware seem to have adopted an alternative approach toward their victims. In difference to other ransomware actors who strictly rely on threats as a means of scaring users into paying, the cybercriminals behind VaultCrypt offer their twisted version of Customer Care, providing an elaborate website with online support via live chat, a FAQ section and the option to freely decipher four locked files as a sample. Curiously, since the Ransom note implies that the decryption fee is not final, live chat may have been also implemented in order to negotiate ransom height with victims, thus seducing with a “discount” less solvent users who would otherwise give up on saving their encrypted data.

What Makes Vault File Extension Ransomware Dangerous

Secure Encryption, Traces Deletion, Financial Damage

What makes Vault File Extension Ransomware especially dangerous is that once your files have been locked by it, the process can feasibly only be reversed if you pay the demanded ransom fee, which automatically means financial damage. Unfortunately, the type of secure encryption that the malware uses cannot be effectively broken. Moreover, the malicious program employs Microsoft SDelete tool to delete vaultkey.vlt and other malware components and encryption traces overwriting them whole sixteen times, which makes them extremely difficult to restore even with the most advanced data recovery utilities. Additionally, to prevent users from retrieve their files with the help of Windows Volume Shadow Copy Service, VaultCrypt deletes any existent Shadow Volume copies.

The Risks Of The Dark Net

It is also hugely important to note that the Vault File Extension Ransomware endangers you in an unpredictable variety of ways merely by forcing you into the Dark Net (since its Command and Control server and its website are kept outside the surface Net in order to evade law enforcement agencies’ attempts to seize them). Even for advanced, computer-savvy users, delving into the deepest parts of the Internet is a severely risky enterprise which may cause hardware, software, privacy and monetary damage.

Login Credentials Theft

Furthermore, as an additional (or back-up, in the cases users reject to pay the ransom fee) means of potentially gaining profit, the malware downloads SecurityXploded’s Browser Password Dump tool. Using the utility, Vault File Extension Ransomware gathers, records and sends to its C&C server the login credentials which victims are saved in victims’ browsers. As a result, affected users’ social media profiles, online payment accounts (PayPal for example) or Internet banking services may be compromised and misused.

File Recovery, Malware Removal, Prevention

How To Recover Data With Vault File Extension

Unfortunately, for now the only way to decrypt files locked by Vault File Extension Ransomware is by paying the ransom fee and hoping the cybercriminals will at least show the integrity to provide you with the decryption key in return. Trying to reconstruct it (vaultkey.vlt) using data recovery tools is not likely to prove successful considering it has been securely deleted and overwritten with SDelete sixteen times. If you have the habit of regularly creating system back-ups on removable drives, you can restore yours files and settings from a DVD, flash memory stick or some other device. You may also attempt to recover your data from Shadow Volume copies in case the malware has somehow failed to delete them (which is highly improbable). Needless to say, we are obliged to vehemently advise you against complying with extortion demands as this would further stimulate cybercriminals into continuing their illicit activities. Nevertheless, if the encrypted files are in some way irreplaceably vital for you or your business, paying the ransom fee may turn out to be your last resort to save them.

Malware Removal

Since Vault File Extension Ransomware automatically deletes its files as a safety measure, you don’t really have much to remove after the malware has succeeded in encrypting your data. You can of course manually delete the ransom note .txt and the corresponding html page, and run a reliable AV tool just to make sure there are no unwanted remnants. In the case you have entered the Dark Net to retrieve your decryption key or simply to inspect the information on VaultCrypt’s Tor website, it is imperative to execute a full system scan using a reputable antivirus program since the Deep Web is literally swarmed with all types of malicious software such as Exploit Kits, Trojans Horses, Key Loggers, etc.


Vault File Extension Ransomware is distributed so far via spam e-mails. Therefore you should behave self-responsibly while on the Internet, treating unsolicited and suspiciously worded messages with increased caution. As it is expected that the malware creators will begin to employ also additional means of propagation, you should watch out for drive-by downloads and misleading advertisements. Furthermore, you should always keep all your software (including Windows) to the latest stand of updates. Finally, it is immensely recommendable to acquire and constantly use a trustworthy antivirus program as security software has proven to be the most effective method of ensuring the safety of computer systems and digitally stored data.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.