Developing a Tool to Decrypt VCryptor Ransomware (Available on NoMoreRansom.org)

Innovation and Laboratory Area in ElevenPaths    1 June, 2020
Developing a Tool to Decrypt VCryptor Ransomware

ElevenPaths is one of the main members of the NoMoreRansom.org partnership, as an associated entity. This renowned status is achieved when a decryption tool for a ransomware variant is provided. In 2016, we managed to create a simple tool to decode PopCorn ransomware without paying a ransom. This time, we have provided another simple tool to decode VCryptor ransomware.

By the end of 2016, a very interesting ransomware became popular, not in technical terms, but because of its “extortion” formula. It offered two ways to decrypt content: The “standard” way (that is, the ransom is paid), and the “nasty” way (how they named it) where if a link to an executable is sent to two people and they get infected and pay, they will be given a “free” code to be able to decrypt the content. A “friendly” spread plan where the attacker ensures two infections for the price of one, and a more effective method of spreading. From ElevenPaths, we analysed it and found out that we could discover the password and decrypt the files. This led us to join NoMoreRansom.

The platform www.nomoreransom.org has the clear objective of, on the one hand, assisting and enabling ransomware victims to recover their encrypted content without having to pay the criminals. On the other hand, they aim to legally pursue those responsible for these scams by sharing information among the security forces.

ElevenPaths brings its expertise in this field developing and offering a free tool to this initiative. Thanks to the joint work of the Innovation and Laboratory Area, ElevenPaths is part of the consortium, as one of the seven associated entities, together with Avast, Bitdefender, CERT (Poland), Check Point, Emsisoft and Kasperksy.

VCryptor Malware

This time, we have contributed by creating a simple tool to decrypt files encrypted by VCryptor malware. Discovered by several antivirus companies, the malware encrypts user files (desktops, documents, images and so on) in a password-protected zip and creates with .vcrypt extension the files for which the ransom is requested. The ransom note is as follows:

After verifying that the obfuscated password was stored within its code and that it was easy to decrypt, we developed a simple (though very heavy, since it uses pyQT) tool that allows users to recover their files without having to pay the ransom. The default password is the one corresponding to the best-known variant, which is also identifiable by a characteristic process name.

We create a quick script to decrypt the files, but to display it on NoMoreRansom.org it was necessary to accompany it with an interface.

Finally, the tool can be found in the most useful repository for malware-infected users.

Leave a Reply

Your email address will not be published. Required fields are marked *