The Vaultz virus belongs to the Memento ransomware family. This ransomware pack all user’s data on the PC (photos, documents, excel tables, music, videos, etc), adds its specific extension to every file, and creates the Hello Message.txt files in every folder which contains encrypted files.
Vaultz Virus
☝️ Vaultz can be correctly identify as a Memento ransomware infection.
Vaultz adds its specific “.vaultz” extension to the name of every file. For example, your photo named as “image.jpeg” will be transformed into “image.jpeg.vaultz“, report in Excel tables named “report.xlsx” – to “report.xlsx.vaultz“, and so on.
Vaultz ransomware does not encrypt data, but copies the data of business users into a special password-protected archive using the renamed free version of WinRAR, and then encrypts the password and deletes the original files. Thus, the files are encrypted using the capabilities of the WinRar archiver (see the WinRar help). The ransomware moves the created archives to a directory on a shared disk, which they can access via RDP.
The ransomware itself is a Python 3.9 script compiled with PyInstaller. Ransomware hacker group: Memento Team. According to the observations of Sophos experts, the ransomware had been preparing the attack for about 6 months, changing the tools, attack methods, and sequence of actions.
Hello Message.txt file, which can be found in every folder that contains the encrypted files, is a ransom money note. Inside of it, you can find information about ways of contacting Vaultz ransomware developers, and some other info. Inside of the ransom note, there is usually an instruction saying about purchasing the decryption tool. This decryption tool is created by ransomware developers.
Here is a summary for the Vaultz:
| Name | Vaultz Virus |
| Ransomware family1 | Memento ransomware |
| Extension | .vaultz |
| Ransomware note | Hello Message.txt |
| Detection | BV:Agent-AOS [Trj], Trojan:MSIL/RedLine.RPS!MTB, Trojan:Win32/Raccoon.ES!MTB |
| Symptoms | Your files (photos, videos, documents) have a .vaultz extension and you can’t open it. |
| Fix Tool | See If Your System Has Been Affected by Vaultz virus |
The Hello Message.txt file by the Vaultz ransomware states the following frustrating information:
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 'vaultz' and 'vault-key'. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). * All your outlook email has been backup-ed as pst file with password, too. You can recover whole email with our help. [+] What guarantees? [+] It\'s just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. To check the ability of returning files, You can send file for decrypt. We provide decryption for only one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause JUST WE have the private key. In practise - time is much more valuable than money. [+] Time limitation [+] = ONE WEEK = After ONE WEEK, i.e Octobor 29th 12:80AM, we can't help doing as follows - the price will be DOUBLED - your data will be made public day by day, i.e. we already have your critical data and we will make it public. f our deal is broken or we detect suspicious behavior from you. But if you agree our deal, we will surely RECOVER all your data and NEVER make it public. [+] Our Price [+] 15.95 BTC Private key for FULLY recover, 0.099BTC per each document (doc, pdf, xls, csv, txt, ...) 0.98 BTC per each large file more than 1GB (iso, pst, bak, vmdk, ...) 0.019 BTC per each 10MB of smaller files (ini. Ink, log, ...) * We have a willing of discounting the price if you honestly get along with us. [+] How to get access to us? [+] You have two ways: 1) [Recommended] Using telegram a) Download and install telegram, b) Send hi to + *** 2) If Telegram is blocked in your country, try to use mail address. For this: a) Send hello msg to ***@protonmail.com. * Warning: mail can be blocked or neglected, that's why first variant is much better and more available. --- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result. The Loss whole data. !!! !!! !!! ONE MORE TIME: It's in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! 1!! !!! Memento team
The image below gives a clear vision of how the files with “.vaultz” extension look like:
Example of encrypted .vaultz files
How did I get Vaultz ransomware on my computer?
That was a huge number of different ways of ransomware injection.
However, nowadays there are only two ways of Vaultz injection – email spam and trojans. You may see a lot of messages on your email, stating that you need to pay different bills or to get your parcel from the local FedEx department. But all such messages are sent from unknown email addresses, not from familiar official emails of these companies. All such letters contain the attached file, which is used as a ransomware carrier. If you open this file – your system will get infected by Vaultz.
In case of trojans presence, you will be offered to download and install ransomware on your PC under the guise of something legit, like a Chrome update, or update for the software you are storing on your computer. Sometimes, trojan viruses can be masked as legit programs, and ransomware will be offered for download as an important update, or a big pack of extensions that are essential for proper program functioning.
There is also the third way of ransomware injection, however, it becomes less and less popular day-to-day. I am talking about peering networks, such as torrents or eMule. No one can control which files are packed in the seeding, so you can discover a huge pack of different malware after downloading. If circumstances force you to download something from peering networks – scan every downloaded folder or archive with antivirus software.
How to remove Vaultz virus?
In addition to encode a victim’s files, the Vaultz infection has also started to install the Azorult Spyware on PC to steal account credentials, cryptocurrency wallets, desktop files, and more.
To ensure the user that ransomware distributors really have the decryption tool, they may offer to decrypt several encrypted files. And they are the single owners of this decryption program: Vaultz ransomware is a completely new type, so there is no legit program from anti-malware vendors, which can decrypt your files. But such a situation is in momentum: decryption tools are updating every month.
However, paying the ransom is a bad decision, too. There is no guarantee that Vaultz ransomware developers will send you the decryption tool and a proper decryption key. And there are a lot of cases when ransomware distributors deceived their victims, sending the wrong key or even nothing. In the majority of cases, there is a way to recover your files for free. Search for available backups, and restore your system using it. Of course, there is a chance that the backup you found is too old, and does not contain a lot of files you need. But, at least you will be sure that there is no malware in your system. However, to ensure that there are no malicious programs in your system after the backup, you need to scan your PC with anti-malware software.
Vaultz ransomware is not unique. There are more ransomware of this type: Iisa, Futm, Chichi. These examples of ransomware act in a similar way: encrypting your files, adding a specific extension, and leaving a great number of ransom money notes in every folder. But there are two things which make difference between these ransomware – algorithm, which is used for file encryption, and ransom amount. This ransomware was written in Python 3.9 and archived files using WinRAR and then encrypted them using AES. However, the latter action often triggered antivirus protection tailored for this behavior, and Memento had to adjust its code.
Source: https://howtofix.guide/hackers-bypass-ransomware-protection-using-winrar/
Reasons why I would recommend GridinSoft2
Download Removal Tool.
Run the setup file.
Press “Install” button.
Once installed, Anti-Malware will automatically run.
Wait for the Anti-Malware scan to complete.
Click on “Clean Now”.
Frequently Asked Questions
How сan I avoid ransomware attack?
Vaultz ransomware doesn’t have a superpower.
You can easily protect yourself from its injection in several easy steps :
- Ignore all emails from unknown mailboxes with a strange unknown address, or with content that has likely no connection to something you are waiting for (can you win in a lottery without taking part in it?). If the email subject is likely something you are waiting for, check carefully all elements of the suspicious letter. A fake email will surely contain a mistake.
- Do not use cracked or untrusted programs. Trojans are often distributed as a part of cracked software, possibly under the guise of “patch” which prevents the license check. But untrusted programs are very hard to distinguish from trustworthy software, because trojans may also have the functionality you need. You can try to find information about this program on the anti-malware forums, but the best solution is not to use such programs.
Leave a Comment