From today, victims of CoinVault ransomware have a chance to retrieve their data without paying the criminals, thanks to a repository of decryption keys and a decryption application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police.
The keys and the tool can be found on noransom.kaspersky.com, together with clear instructions on how to implement them.
CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command and control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped Kaspersky Lab and the NHTCU to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available.
“If you get infected with the CoinVault ransomware, please check noransom.kaspersky.com. We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” says Jornt van der Wiel, security researcher at Global Research and Analysis Team, Kaspersky Lab.
CoinVault has infected more than 1 000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico.
“Nowadays, many believe that combatting cybercrime requires public-private partnerships. We do it. Just talk to your partners, identify how you can help each other achieve a mutual aim: helping cybersecurity,.” explains Marijn Schuurbiers from the High Tech Crime Team of the Dutch Police.
Kaspersky Lab’s security experts also analysed the malware samples and designed and built a decryption tool that can unlock files and delete the CoinVault malicious programme from infected computers.
Kaspersky detects this family as “Trojan-Ransom.Win32.Crypmodadv.cj”.