Victims of CoinVault ransomware will be able to retrieve their data without paying the criminals, thanks to a repository of decryption keys and a decryption application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police.The keys and the tool can be found on noransom.kaspersky.com, together with clear instructions on how to implement them.
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialisation Vectors (IVs), Keys and private Bitcoin wallets and helped Kaspersky Lab and the NHTCU to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available.
“If you get infected with the CoinVault ransomware, please check noransom.kaspersky.com. We have uploaded a huge number of keysonto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” – says Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab.
CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico.
“Nowadays, many believe that combatting cybercrime requires public-private partnerships. We do it. Just talk to your partners, identify how you can help each other achieve a mutual aim: helping cybersecurity.” explains Marijn Schuurbiers from the High Tech Crime Team of the Dutch Police.
Kaspersky Lab’s security experts also analysed the malware samples and designed and built a decryption tool that can unlock files and delete the CoinVault malicious program from infected computers.
If a PC has been infected with CoinVault, an image such as the following will appear on the screen:
To discover how to remove the CoinVault ransomware from your computer and restore your files, please visit HERE
How to avoid being infected? Keep your anti-malware suite updated and make a habit of backing up your most important files.
Duo Security RSAC 2015 – Register to win a free Quadcopter
Kaspersky detects this family as ‘Trojan-Ransom.Win32.Crypmodadv.cj’.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.