VCrypt Ransomware
The VCrypt Ransomware is a threat that poses as a data-locking Trojan. However, unlike real file-encrypting Trojan, the VCrypt Ransomware is not capable of encrypting any of your data. Most data-locking Trojans use encryption algorithms to lock the targeted files and then extort the victim. This is not the case with the VCrypt Ransomware.
The VCrypt Ransomware s is a low-quality threat that will use the legitimate 7Zip service to create password-protected folders and place the victim’s files in them. The users will have no access to the password and, therefore, their data. The authors of the VCrypt Ransomware will offer the users to sell them the password that they need to unlock the archives, which contain their data. To let the users know what has happened to their data and how to purchase the password they need to unlock their files, the VCrypt Ransomware will drop a ransom note on the compromised system. The ransom message redirects users to a website hosted by the attackers, which is meant to have instructions on how to obtain the password in question. However, it appears that the attackers’ site is offline, and therefore the users have no means of contacting them.
Table of Contents
What Does VCrypt Do?
One thing to note about this virus is that it doesn’t operate in the same way as traditional ransomware. Unlike other viruses, which encrypt the actual files, this ransomware creates password-protected archives of files. It extracts the 7za.exe program – a completely legitimate program used by 7Zip – to the Temp folder as mod_01.exe.
VCrypt executes a series of commands to find and archive files in a range of Windows folders into password-protected archives.
The password is the same for each of the encrypted folders. The ransomware also doesn’t dive deep into the computer to find specific file types to lock. Rather, it targets particular default folders instead. It locks down the Desktop, Documents, Downloads, Music, Pictures, and Video folders.
If you notice the virus on your computer, then you should take steps to remove it and protect your computer from further damage.
The VCrypt Ransomware Ransom Note
Like most ransomware, VCrypt comes packaged with a ransom note explaining the situation to victims. The VCrypt ransom note is displayed through an Internet Explorer window. The note, called help.html, is written in French. Here is what the note looks like, as well as a translation of the written instructions;
Ransom note text:
Q: Qu'ai t'il arrivé à mes fichiers ?
A: Tous vos fichiers ont étés chiffrés et placés dans une zone de sécurité.
Q: Comment récupérez mes documents !! ?
A: Suivez les instructions disponibles via cette page web. Si la page ne s'ouvre pas, veuillez vérifier votre connexion internet.
When translated, the note reads;
Q: What happened to my files?
A: All your files have been encrypted and placed in a security zone.
Q: How to recover my documents !! ?
A: Follow the instructions available via this web page. If the page does not open, please check your
It is unknown how much the hackers would charge for their ransom. The ransom note includes a link to a website that is no longer active. There is no way to reach the attackers to learn more about potential data recovery options. The best way to restore your files is through backups.
Unfortunately, the VCrypt Ransomware also may end up wiping out some of the victim’s files as this is not a well-built threat, to say the least. The VCrypt Ransomware only works as intended with files located in the ‘C’ partition of the user’s system. The data located there will be put in locked archives named ‘
The VCrypt Ransomware’s ransom note is located in a file called ‘help.html.’ The VCrypt Ransomware also changes the user’s wallpaper by replacing it with a ransom message. The attackers’ ransom message is written in French entirely. This led malware experts to assume that the authors of the VCrypt Ransomware are likely targeting French-speaking users mainly.
VCrypt Ransomware Distribution and Prevention
While it is unclear how the ransomware spreads, victims report that the file for VCrypt was hidden in a file called video_driver.exe. The ransomware hiding in a file like that could indicate it was downloaded as malicious driver update from an illegitimate source.
Illegal downloads, malicious email attachments, and compromised websites are the most common distribution vectors for ransomware. These attack patterns haven’t changed much, mostly because they are still effective.
The best way to avoid a computer infection from compromised online downloads, we recommend that you only use secure, well-known websites for downloading programs and updates. Avoid using domains that have too many hyphens, digits, or suspicious symbols in the name. Also, check to see if the website connects over HTTPS with an SSL certificate, and not standard HTTP. We also recommend scanning downloaded files with an antivirus program before running them. Malicious files have to be accessed to damage your computer. Just downloading a file isn’t enough to do damage.
Last but not least, we recommend that you avoid downloading illegal programs like cracks and keygens. These programs are known to be a popular distribution method for malware. Another thing to keep in mind about malicious websites is that most browsers will warn you about them. If your browser tells you that the website is malicious or deceptive, then you should avoid accessing it. Close any website that instantly redirects you to another site after accessing it.
Criminals use attention-grabbing headlines for emails like “IMPORTANT!” and “REPLY IMMEDIATELY!” to trick victims. These messages commonly include a lot of spelling mistakes because they are so poorly written. The emails often have a link or attachment that readers are urged to download. Downloading and accessing the attachment infects the virus. Check emails for apparent errors before interacting with them.
