Defend what you create

Other Resources


My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to news

Decryption of files compromised by the latest modification of Vault is now possible

November 10, 2015

Doctor Web security researchers have developed a new decryption technique that allows to restore files encrypted by dangerous encryption ransomware dubbed Trojan.Encoder.2843 and known among users as Vault.

This particular modification named by Doctor Web specialists Trojan.Encoder.2843 and distributed by cybercriminals via mass mailings is disguised as a small file containing a JavaScript script. Once launched, this file extracts from its body an application that ensures the Trojan's running. This version of the malware has been distributed since November 2, 2015.

The malicious program has a rather interesting operating routine. First, it adds an encrypted dynamic-link library (.DLL) to the Windows system registry and then injects a small piece of code into explorer.exe. The code loads the file from the registry into the memory, decrypts it, and transfers control to this file.

The list of files to be encrypted is also stored in the system registry. For every file, Trojan.Encoder.2843 generates a unique key consisting of uppercase Latin letters. Files are encrypted with Blowfish ECB, and a session key is encrypted with RSA using CryptoAPI. Each encrypted file is appended with the .vault extension.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware. If you have fallen victim to Trojan.Encoder.2843, follow the guidance below:

  • Notify the police.
  • Do not, under any circumstances, attempt to solve the problem by reinstalling, “optimizing” or “cleaning” the operating system using some utility.
  • Do not delete any files from your computer.
  • Do not try to restore the encrypted data by yourself.
  • Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
  • Attach a file encrypted by the Trojan to the request ticket.
  • Wait for a response from technical support. Due to a large number of requests, it may take some time.

Once again we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.

Use Data Loss Prevention to protect your files from encryption ransomware

Only available in Dr.Web Security Space 10 and later
More about encryption ransomware Configuration presentations tutorial Free decryption

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124