Home / malware Trojan.Ransomcrypt.R
First posted on 21 March 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.R.
Explanation :
Trojan.Ransomcrypt.R is a Trojan horse that encrypts files on the compromised computer and asks the user to pay to unlock them.
The Trojan is dropped onto the compromised computer by other malware.
Once executed, the Trojan creates the following files:
%Temp%\a.qq%Temp%\VAULT.txt%Temp%\VAULT.hta%Temp%\revault.js%UserProfile%\CONFIRMATION.KEY%UserProfile%\Application Data\VAULT.KEY%UserProfile%\Application Data\VAULT.hta%UserProfile%\Application Data\Desktop\VAULT.KEY%UserProfile%\Desktop\vault.txt%UserProfile%\Desktop\vault.hta
The Trojan creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"vlt notify" = "mshta %UserProfile%\Application Data\VAULT.hta"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"tnotify" = "notepad %Temp%\VAULT.txt"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"vltexec" = "wscript //B //Nologo %Temp%\revault.js"
The Trojan also creates the following registry entries:
HKEY_CLASSES_ROOT\Vaulted\Shell\Open\Command\"[DEFAULT]" = "mshta.exe vbscript:Execute("msgbox "" STORED IN VAULT:""&vbNewLine&"" %1""&vbNewLine&vbNewLine&ChrW(10139)&"" Visit for key: http://restoredz4xpmuqr.onion""&vbNewLine&vbNewLine&"" [accessible only via Tor Browser: http://torproject.org]"",16,""VaultCrypt [Permission Error: No Key]"":close")"HKEY_CLASSES_ROOT\.vault\"[DEFAULT]" = "Vaulted"
The Trojan encrypts files with the following extensions:
xls docrtfpdfpsd dwg cdr cd mdb 1cd dbf sqlite jpg zip 7z
The Trojan appends the following string to the encrypted files:
.vault
When any of the encrypted files are double-clicked, a message box is shown telling the user that the file is encrypted.
The Trojan also displays a ransom demand.
The Trojan also downloads an executable file from the following remote location:
[http://]tj2es2lrxelpknfp.onion.city/[REMOVED]
The file is saved to the following location:
%Temp%\enigma.exe
The downloaded file steals passwords from web browsers. The stolen information is sent to the following remote location:
[http://]tj2es2lrxelpknfp.onion.city/[REMOVED]Last update 21 March 2015