Omerta Information Security – Rotterdam, The Netherlands
Alex Drozhzhin has written an excellent blog post ( Kaspersky ) on removing Coinvault ransomware.
In most cases, if you are a victim of ransomware, there’s nothing you can do. Luckily, from time to time police and cybersecurity companies take down command and control servers of ransomware and retrieve information from them. This information is really useful, because it helps to create decryption tools and to recover users’ files. Recently, Dutch cyber-police and Kaspersky Lab created such a solution for CoinVault victims.
If you want to know more about CoinVault itself, you can read our detailed report at Securelist. If you are interested in exactly how we created a decryption solution, we covered it in a very detailed blog post. If you are looking for instruction on how to get rid of this ransomware and restore your files, then keep reading below.
Step 1: Are you infected with CoinVault?
First, make sure your files are stolen by CoinVault and not by another ransomware. It’s fairly easy to determine: If you are infected with CoinVault, you will see an image like below:
Step 2: Get the Bitcoin wallet address
In the bottom right of CoinVault you will see the Bitcoin wallet address (it’s marked with a black circle on the image above). It’s very important for you to copy and save this address!
Step 3: Get the encrypted file list
In the top left corner of the malware window you will see a ‘View encrypted filelist’ button (it’s marked with blue circle on the image above). Click this button and save the output to a file.
Step 4: Remove CoinVault
Go to https://kas.pr/kismd-cvault and download the trial version of Kaspersky Internet Security. Install it and it will remove CoinVault from your system. Be sure to save all information retrieved in steps 2 and 3.
At https://noransom.kaspersky.com you should enter the Bitcoin wallet address from step 2. If your Bitcoin wallet address is known, the IV and Key will appear on the screen. Please note that multiple keys and IVs may appear. In this case save all the keys and IVs to your computer, you will need them later.
Step 6: Download the decryption tool
Download the decryption tool at https://noransom.kaspersky.com and run it on your computer. If you get an error message, as shown below, go to step 7. If not, skip step 7 and proceed to step 8.
Step 7: Download and install additional libraries
Go to http://www.microsoft.com/en-us/download/details.aspx?id=40779 and follow the instructions on the website. Then install the software.
Step 8: Start the decryption tool
Start the tool and you will see a screen like below:
Step 9: Test if the decryption works properly
When running the tool for the first time, we strongly advise you to do a test decryption. Do the following:
- Click “Select file” button in the “Single File Decryption” box and select one file you want to decrypt;
- Enter the IV from the webpage into the IV box;
- Enter the key from the webpage into the key box;
- Click “Start” button.
Verify whether the newly created file is properly decrypted.
Step 10: Decrypt all files stolen by CoinVault
If everything was okay in step 9, then you can recover all your files at once. To do that select the file list from step 3, enter IV and key and click start. You can select “Overwrite encrypted file with decrypted contents” if you want.
If you received multiple IVs and keys when you entered your Bitcoin wallet address, please be very careful. At the moment we are not 100% sure where the multiple IVs and keys for one Bitcoin wallet come from. In this case, we strongly recommend leaving the “Overwrite encrypted file with decrypted contents” box unticked. If something goes wrong with the decryption you can try another IV+key pair until the file is successfully decrypted.
If you didn’t receive the IV and key at all, you should wait and check https://noransom.kaspersky.com. The investigation is ongoing, and we will add new keys as soon as they are available.
Have fun, keep safe and happy browsing!
The Omerta security team