Home / malwarePDF  

Ransom:MSIL/Vaultlock.A


First posted on 26 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Ransom:MSIL/Vaultlock.A.

Explanation :

Threat behavior

Installation

This ransomware is a .NET based threat which can be downloaded by other malware, and is installed as coinvault.exe.

It adds the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Vault"
With data: """" -- where it first ran

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "*VaultBackup"
With data: """" -- where it first ran

Payload

Encrypts your files and asks for payment

Although this threat avoids encrypting files in directories with substrings:

  • appdata
  • all users
  • boot
  • default desktop folder
  • default documents folder
  • default user folder
  • downloads
  • programdata
  • program files
  • recycle.bin
  • temp
  • windows
  • winnt


..it searches for folders with the strings "pictures" or "backup" in the file name, then it encrypts the files with the following extensions:

.3ds .der .jpeg .odp .pptx .txt .3fr .dng .jpg .ods .psd .vsdx .accdb .doc .kdc .odt .pst .wb2 .ai .docm .mdb .orf .ptx .wpd .arw .docx .mdf .p12 .r3d .wps .bay .dwg .mef .p7b .raf .x3f .bmp .dxf .mov .p7c .rar .xlk .c4d .dxg .mp3 .pdd .raw .xls .cdr .eps .mp4 .pdf .rtf .xlsb .cer .erf .mrw .pef .rw2 .xlsm .cr2 .exif .nef .pem .rwl .xlsx .crt .gif .nrw .pfx .sr2 .zip .crw .indd .odb .png .srf .dbf .iso .odc .ppt .srw .dcr .jfif .odm .pptm .tc

After the files are encrypted, the ransomware launches a window similar to the following screenshot. The window displays decryption instructions with a countdown that increases the payment amount if the victim fails to immediately comply to the ransom demands:





It also displays the list of encrypted files saved in a text file named %TEMP%\CoinVaultFileList.txt.



The desktop wallpaper will also be modified with the image file saved in the location %temp%\wallpaper.jpg.



Stops processes from running

This ransomware stops processes with following substrings from running, and then deletes shadow or backup files:

  • mbam
  • msconfig
  • procexp
  • processhacker
  • regedit
  • roguekiller
  • rstrui
  • shadow
  • spyhunter
  • taskmgr


Connects to remote hosts

This threat also attempts to connect to the following servers to send information about the compromised PC such as BIOS, Baseboard, Processor and Disk information:

  • salzlandfussball.de
  • www.cwears.nl


This analysis is based on SHA1:8f23b28c77c44b042817e19e017f618ed2cd2581



Analysis by Marianne Mallen SymptomsThe following can indicate that you have this threat on your PC:
  • You see the following messages or pages:






  • You see these entries or keys in your registry:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "Vault"
      With data: """" -- where it first ran
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
      Sets value: "*VaultBackup"
      With data: """" -- where it first ran

Last update 26 April 2015

 

TOP

Malware :