My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Decryption of files compromised by the latest modification of Vault is now possible

November 10, 2015

Doctor Web security researchers have developed a new decryption technique that allows to restore files encrypted by dangerous encryption ransomware dubbed Trojan.Encoder.2843 and known among users as Vault.

This particular modification named by Doctor Web specialists Trojan.Encoder.2843 and distributed by cybercriminals via mass mailings is disguised as a small file containing a JavaScript script. Once launched, this file extracts from its body an application that ensures the Trojan's running. This version of the malware has been distributed since November 2, 2015.

The malicious program has a rather interesting operating routine. First, it adds an encrypted dynamic-link library (.DLL) to the Windows system registry and then injects a small piece of code into explorer.exe. The code loads the file from the registry into the memory, decrypts it, and transfers control to this file.

The list of files to be encrypted is also stored in the system registry. For every file, Trojan.Encoder.2843 generates a unique key consisting of uppercase Latin letters. Files are encrypted with Blowfish ECB, and a session key is encrypted with RSA using CryptoAPI. Each encrypted file is appended with the .vault extension.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware. If you have fallen victim to Trojan.Encoder.2843, follow the guidance below:

  • Notify the police.
  • Do not, under any circumstances, attempt to solve the problem by reinstalling, “optimizing” or “cleaning” the operating system using some utility.
  • Do not delete any files from your computer.
  • Do not try to restore the encrypted data by yourself.
  • Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
  • Attach a file encrypted by the Trojan to the request ticket.
  • Wait for a response from technical support. Due to a large number of requests, it may take some time.

Once again we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.

Use Data Loss Prevention to protect your files from encryption ransomware

Only available in Dr.Web Security Space 10 and later
More about encryption ransomware Configuration presentations tutorial Free decryption

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments