Free Code Used for Ransomware

Monday, March 23, 2015 @ 06:03 PM gHale

Nothing like free code. Even the bad guys use it to encrypt data on a victim’s computer and hold it for ransom.

Take the open source GnuPG privacy program as a case in point.

Cryptowall: New Version of Ransomware
IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise
Security a Differentiator for Users

Operators of ransomware VaultCrypt started in Russia, but the malware is now in English-speaking parts of the world, giving trouble to system administrators.

The threat is not as complex as CryptoLocker or CryptoWall, but that doesn’t make it any less dangerous.

The fact a ransom alert will not display until one of the encrypted files launches might make it seem rudimentary, but it uses a strong 1024-bit RSA key pair for encryption and deletes the shadow copies of the files to prevent recovery.

The developers running VaultCrypt used interesting methods to achieve their goal, according to an analysis from Bleeping Computer.

It appears that apart from GnuPG, the malware relies on a suite of VBS scripts, all wrapped up in a large Windows batch file, and Microsoft’s sDelete application to remove the data used during the encryption process, and runs 16 overwrite routines.

VaultCrypt exports the decryption key in a “vaultkey.vlt” file, which also contains information about the infected computer used for personalizing the ransom page and to provide a percentage of the amount of data locked, according to the research.

The vault key then ends up encrypted with a master public key that works for all compromised systems. The resulting file ends up saved locally with the name “VAULT.KEY,” with the private decryption key remaining with the attackers at all times.

The main script powering the malware is publicly available online and Fabian Worsar, a researcher at Emsisoft, tracked it down on Pastebin.

It also appears that VaultCrypt downloads from a domain hidden in Tor anonymous network another malware with the name “ssl.exe,” whose purpose is to collect log-in credentials from websites visited by the victim.

The command and control (C&C) server is in Tor and access to it gets protection from a log-in window.

Registration is with a VAULT.KEY file, which needs uploading in order to receive a user ID and a password. This is the only way the user can find out the ransom amount (about 1 bitcoin) and how it can end up paid. The text is mostly in Russian, but some pages contain links to English instructions on Pastebin.

As is the case with most malware, the ransom increases, but it does not double, after a certain period of time. The bad guys will also offer the possibility to test the decryption process on four files.

Users impacted by VaultCrypt are not completely without hope, as the threat does not securely delete the encrypted data, leaving the door ajar for recovering the files using free software.

Leave a Reply

You must be logged in to post a comment.