Russian Malware Doing the Rounds

A new ransomware known as VaultCrypt has been doing the rounds in its home country of Russia since the end of February. Its curious ransom note and sophisticated payment site have already made it newsworthy, and now it is starting to cross borders into English speaking countries.

VaultCrypt gets its name from the way it operates. When files on infected machines are encrypted, they are appended with the ‘.vault’ extension and their icon is changed to a lock. Double-clicking on a .vault file triggers an alert stating that the file is “Stored in Vault”, and that you must go to a specific Tor address to get the key.

This unusual command separates VaultCrypt from other ransomware, which often displays a simple note demanding payment.

Victims of VaultCrypt must ‘register’ their infection with the command & control server at the listed address. This can be done by uploading the VAULT.KEY file, which automatically generates a login ID, and password.

Once logged in the interface becomes somewhat disconcertingly consumer-oriented. There is a news ticker as well as a variety of information about encrypted files and how to get them back. There is even the opportunity to chat with the malware developers if in need of help.

VaultCrypt offers to restore 4 files free of charge, so as to prove that it can do so. The whole thing is rather sinister and also very clever. Until now, the use of Russian language kept the malware in its motherland. But recent developments are bringing it a little closer to home.

As with all malware, the best means of protection is up-to-date software installed on all machines within a network. ITC Secure Networking offers expert help and advice as well as top-of-the-range products and excellent customer service. Contact us on 020 7517 3900 or email [email protected] to see how we can assist you and your business.