The CoinVault Ransomware Information Guide and FAQ

  • November 20, 2014
  • 04:32 PM
  • Read 37,124 times

Table of Contents

  1. What is CoinVault?
  2. What types of files does CoinVault encrypt?
  3. What should you do when you discover your computer is infected with CoinVault?
  4. Is it possible to decrypt files encrypted by CoinVault?
  5. How to find files that have been encrypted by CoinVault
  6. CoinVault and Network Shares
  7. How to restore files encrypted by CoinVault
  8. How to restore files encrypted by CoinVault using Shadow Volume Copies
  9. How to restore files that have been encrypted on DropBox folders
  10. Will paying the ransom actually decrypt your files?
  11. How to prevent your computer from becoming infected by CoinVault
  12. How to allow specific applications to run when using Software Restriction Policies

 

Important Update: On April 13, 2015 Kaspersky was able to retrieve some decryption keys from the CoinVault Command & Control server. For more information about how to check if your key was discovered, please see this section.

 

Info: There is an active CoinVault support topic, which contains analysis, discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by CoinVault. If you are interested in this infection or wish to ask questions about it, please visit the CoinVault support topic. Once at the topic, and if you are a member, you can ask or answer questions and subscribe in order to get notifications when someone adds more information to the topic.

What is CoinVault?

CoinVault is a file-encrypting ransomware program that was released in the beginning of November 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware is part of the CryptoGraphic Locker family with the addition of offering one free file decryption to prove that they are able to do so. Unlike other recently released crypto-ransomware, this infection does not utilize a decryption site to make payments and download the decrypter, but rather the decryption functionality and payment system are built directly into the malware executable.

  • CoinVault screen shot
  • How to pay screen
  • Free decryption screen
  • CoinVault wallpaper

When you are first infected with CoinVault it will scan your computer for data files and encrypts them using AES encryption so they are no longer able to be opened. Once the infection has encrypted the files it will display the CoinVault program, which contains information on what has happened to your files, the ransom amount, and instructions on how to pay it. The ransom cost starts at 0.7 bitcoins and goes up after each 24 hours increment of the payment not being made. The bitcoin address that payments are sent to is different for every infected computer.

CoinVault is distributed via emails with ZIP attachments that contain executables that are disguised as PDF files. These PDF files pretend to be invoices, purchase orders, bills, complaints, or other business communications. When you double-click on the fake PDF, it will infect your computer with the CoinVault infection and install malware files in the %AppData%\Microsoft\Windows\ folder. A full list of installed files and Registry keys can be found here.

Once infected, the installer will start to scan your computer's drives for data files including removable drives, network shares, or even DropBox mappings. In summary, if there is a drive letter on your computer CoinVault will scan it for data files and encrypt any that are found. When CoinVault detects a supported data file it will encrypt it and then add the full path to the encrypted file in the %Temp%\CoinVaultFileList.txt file. The infection will also create a file called %AppData%\Microsoft\Windows\filelist.txt that contains a list of all files that CoinVault attempted to encrypt. If it was able to encrypt the file, its file path will append |True to the file path, otherwise if it cannot encrypt the file it will append |False.

When the infection has finished scanning your computer it will display the main CoinVault executable screen. This screen will show you how much it costs to get your files back, the bitcoin address you should be sending the payment to, a list of files that have been encrypted, and a way to check your payment status. CoinVault also allows you to decrypt one file for free to prove that it can do so. When you select the file to decrypt, CoinVault will upload the file to its Command and Control server, decrypt, and then save it back on your computer. The free decryption screen is shown below.

Free Decyrption for one file
Free Decryption screen

While the press has stated that this free decryption offer is new, in reality this method was offered with the TorrentLocker and CryptoWall infections on their decryption sites.

Last, but not least, CoinVault will change your Windows desktop wallpaper to state "Your files have been encrypted!" as shown in the image below.

 

CoinVault Wallpaper
CoinVault Wallpaper

 


What types of files does CoinVault encrypt?

When CoinVault encrypts the data on your computer it will look for specific files on all of the drive letters on your computer. This means that USB drives, external hard drives, mapped network drives, and even mapped cloud services like DropBox will be scanned and encrypted if they are mapped to a drive letter. When CoinVault is scanning these drives it will only encrypt files that end with one of the following extensions:

.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif,.bmp, .exif, .txt

 

What should you do when you discover your computer is infected with CoinVault

If you plan on paying the ransom to get your files back, it is strongly suggested that you do so before removing any of the CoinVault files from your computer. As CoinVault performs the decryption directly from the malware executable, removing the infection will make it so you unable to decrypt your files. Below are the registry keys and files used by CoinVault:

Files associated with CoinVault are:

%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg

Registry entries associated with CoinVault are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault = "%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper = "%Temp%\wallpaper.jpg"

 

Is it possible to decrypt files encrypted by CoinVault?

On April 13 2015, Kaspersky announced that in a joint operation between Kaspersky, the National High Tech Crime Unit (NHTCU) of the Netherlands' police, and the Netherlands' National Prosecutors Office they were able to gain access to the Command & Control servers for CoinVault. This gave them access to some of the private encryption keys that were used to encrypt CoinVault victims file. Victims can then visit https://noransom.kaspersky.com/ and enter the Bitcoin address associated with their encrypted files to see if Kaspersky was able to obtain your decryption key. If they were able to retrieve your key, they will give further instructions on how to decrypt your files. Unfortunately, Kaspersky was only able to retrieve a portion of the encryption keys, so there is no guarantee that you will be able to use their service to decrypt your files.

If Kaspersky was not able to retrieve your decryption, there is no other way to retrieve the private key that can be used to decrypt your files without paying the ransom. Brute forcing the decryption key is not realistic due to the length of time required to break an AES encryption key. Also any decryption tools that have been released by various companies will not work with this infection. The only methods you have of restoring your files is from a backup, file recovery tools, or if you're lucky from Shadow Volume Copies, which are explained below.


How to find files that have been encrypted by CoinVault

When CoinVault encrypts a file it will store the list of encrypted files in following file:

%Temp%\CoinvaultFileList.txt

You can also see the list of files CoinVault attempted to encrypt and whether it was successful by looking at this file:

%AppData%\Microsoft\Windows\filelist.txt

 

CoinVault and Network Shares

CoinVault will encrypt data files on network shares only if that network share is mapped as a drive letter on the infected computer. If it is not mapped as a drive letter, then CoinVault will not encrypt any files on a network share. It is strongly suggested that you secure all open shares by only allowing writable access to only the necessary user groups or authenticated users. This is an important security principle that should be used at all times regardless of infections like CoinVault.

 

How to restore files encrypted by CoinVault

If your files have become encrypted and you are not going to pay the ransom then there are a few methods you can try to restore your files.

Method 1: Backups

The first and best method is to restore your data from a recent backup. If you have been performing backups, then you should use your backups to restore your data.

Method 2: File Recovery Software

When CoinVault encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files. It is important to note that the more you use your computer after the files are encrypted the more difficult it will be for file recovery programs to recover the deleted un-encrypted files.

Method 3: Shadow Volume Copies

As of now, CoinVault does not delete your Shadow Volume copies so it may be possible to restore your original files from them. For more information on how to restore your files via Shadow Volume Copies, please see the link below:

How to restore files encrypted by CoinVault using Shadow Volume Copies

Method 4: Restore DropBox Folders

If you had your dropbox account mapped as a drive letter then it is possible that its contents were encrypted by CoinVault. If this is the case you can use the link below to learn how to restore your files.

How to restore files that have been encrypted on DropBox folders

 

How to restore files encrypted by CoinVault using Shadow Volume Copies

If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though; as even though these files may not be encrypted they also may not be the latest version of the file. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called ShadowExplorer. It does not hurt to try both and see which methods work better for you.

Using native Windows Previous Versions:

To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.

 

Previous Versions Tab for a file

 

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.

This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.


Using ShadowExplorer:

You can also use a program called ShadowExplorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

Restoring files with Shadow Explorer

To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.

How to restore files that have been encrypted on DropBox folders

If you have DropBox mapped to a drive letter on an infected computer, CoinVault will attempt to encrypt the files on the drive. DropBox offers free versioning on all of its accounts that will allow you to restore encrypted files through their website. Unfortunately, the restoral process offered by DropBox only allows you to restore one file at a time rather than a whole folder. If you need instructions on restoring an entire folder in DropBox, please click here.

To restore a file, simply login to the DropBox web site and navigate to the folder that contains the encrypted files you wish to restore. Once you are in the folder, right-click on the encrypted file and select Previous Versions as shown in the image below.

 

Select previous versions on a DropBox file

 

When you click on Previous versions you will be presented with a screen that shows all versions of the encrypted file.

 

Different file versions

 

Select the version of the file you wish to restore and click on the Restore button to restore that file.

Unfortunately the process outlined above can be very time consuming if there are many folder to restore. In order to restore an entire folder of encrypted files, you can use the dropbox-restore python script located here. Please note that this script requires Python to be installed on the encrypted computer to execute the script. Instructions on how to use this script can be found in the README.md file for this project.

 

Will paying the ransom actually decrypt your files?

Yes, paying the ransom will enable the CoinVault executable to decrypt your encrypted files. Once you pay the ransom and it is verified, you can click on the Decrypt using keys button in the malware program and it will start to decrypt your files. Please note that the decryption process can take quite a bit of time.

How to prevent your computer from becoming infected by CoinVault

You can use the Windows Group or Local Policy Editor to create Software Restriction Policies that block executables from running when they are located in specific paths. For more information on how to configure Software Restriction Policies, please see these articles from MS:

http://support.microsoft.com/kb/310791
http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx

The file paths that have been used by this infection and its droppers are:

%AppData%\Microsoft\Windows\
%Temp%

In order to block the CoinVault you want to create Path Rules so that they are not allowed to execute. To create these Software Restriction Policies, you can either use the CryptoPrevent tool or add the policies manually using the Local Security Policy Editor or the Group Policy Editor. Both methods are described below.

Note: If you are using Windows Home or Windows Home Premium, the Local Security Policy Editor will not be available to you. Instead we suggest you use the CryptoPrevent tool, which will automatically set these policies for you.


How to use the CryptoPrevent Tool:

FoolishIT LLC was kind enough to create a free utility called CryptoPrevent that automatically adds the suggested Software Restriction Policy Path Rules listed above to your computer. This makes it very easy for anyone using Windows XP SP 2 and above to quickly add the Software Restriction Policies to your computer in order to prevent CoinVault and Zbot from being executed in the first place. This tool is also able to set these policies in all versions of Windows, including the Home versions.

CryptoPrevent

A new feature of CryptoPrevent is the option to whitelist any existing programs in %AppData% or %LocalAppData%. This is a useful feature as it will make sure the restrictions that are put in place do not affect legitimate applications that are already installed on your computer. To use this feature make sure you check the option labeled Whitelist EXEs already located in %appdata% / %localappdata% before you press the Block button.

You can download CryptoPrevent from the following page:

http://www.foolishit.com/download/cryptoprevent/

For more information on how to use the tool, please see this page:

http://www.foolishit.com/vb6-projects/cryptoprevent/

Tip: You can use CryptoPrevent for free, but if you wish to purchase the premium version you can use the coupon code bleeping30off to get 30% off. The premium version includes automatic and silent updating of application and definitions on a regular schedule, email alerts when an application blocked, and custom allow and block policies to fine-tune your protection.

Once you run the program, simply click on the Apply Protection button to add the default Software Restriction Policies to your computer. If you wish to customize the settings, then please review the checkboxes and change them as necessary. If CryptoPrevent causes issues running legitimate applications, then please see this section on how to enable specific applications. You can also remove the Software Restriction Policies that were added by clicking on the Undo button.

How to manually create Software Restriction Policies to block CoinVault:

In order to manually create the Software Restriction Policies you need to be using Windows Professional or Windows Server. If you want to set these policies for a particular computer you can use the Local Security Policy Editor. If you wish to set these policies for the entire domain, then you need to use the Group Policy Editor. Unfortunately, if you are a Windows Home user, the Local Policy Editor is not available and you should use the CryptoPrevent tool instead to set these policies. To open the Local Security Policy editor, click on the Start button and type Local Security Policy and select the search result that appears. You can open the Group Policy Editor by typing Group Policy instead. In this guide we will use the Local Security Policy Editor in our examples.

Once you open the Local Security Policy Editor, you will see a screen similar to the one below.

Local Security Policy Editor

Once the above screen is open, expand Security Settings and then click on the Software Restriction Policies section. If you do not see the items in the right pane as shown above, you will need to add a new policy. To do this click on the Action button and select New Software Restriction Policies. This will then enable the policy and the right pane will appear as in the image above. You should then click on the Additional Rules category and then right-click in the right pane and select New Path Rule.... You should then add a Path Rule for each of the items listed below.

If the Software Restriction Policies cause issues when trying to run legitimate applications, you should see this section on how to enable specific applications.

Below are a few Path Rules that are suggested you use to not only block the infections from running, but also to block attachments from being executed when opened in an e-mail client.

Block CoinVault executable in %AppData%

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block CoinVault executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Block Zbot executable in %AppData%

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block Zbot executable in %LocalAppData%

Path if using Windows XP: %UserProfile%\Local Settings\*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

Block executables run from archive attachments opened with WinRAR:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinRAR.

Block executables run from archive attachments opened with 7zip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\7z*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with 7zip.

Block executables run from archive attachments opened with WinZip:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\wz*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened with WinZip.

Block executables run from archive attachments opened using Windows built-in Zip support:

Path if using Windows XP: %UserProfile%\Local Settings\Temp\*.zip\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed

Description: Block executables run from archive attachments opened using Windows built-in Zip support.

 

You can see an event log entry and alert showing an executable being blocked:

Event Log Entry

 

Executable being blocked alert

If you need help configuring this, feel free to ask in the CoinVault help topic.

 

How to allow specific applications to run when using Software Restriction Policies

If you use Software Restriction Policies, or CryptoPrevent, to block CoinVault you may find that some legitimate applications no longer run. This is because some companies mistakenly install their applications under a user's profile rather than in the Program Files folder where they belong. Due to this, the Software Restriction Policies will prevent those applications from running.

Thankfully, when Microsoft designed Software Restriction Policies they made it so a Path Rule that specifies a program is allowed to run overrides any path rules that may block it. Therefore, if a Software Restriction Policy is blocking a legitimate program, you will need to use the manual steps given above to add a Path Rule that allows the program to run. To do this you will need to create a Path Rule for a particular program's executable and set the Security Level to Unrestricted instead of Disallowed as shown in the image below.

 

Unrestricted Policy

 

Once you add these Unrestricted Path Rules, the specified applications will be allowed to run again.

View Associated CoinVault Files

%AppData%\Microsoft\Windows\coinvault.exe %AppData%\Microsoft\Windows\edone %AppData%\Microsoft\Windows\filelist.txt %Temp%\CoinVaultFileList.txt %Temp%\wallpaper.jpg

File Location Notes:

%Temp% refers to the Windows Temp folder. By default, this is C:\Windows\Temp for Windows 95/98/ME, C:\DOCUMENTS AND SETTINGS\<Current User>\LOCAL SETTINGS\Temp for Windows 2000/XP, and C:\Users\<Current User>\AppData\Local\Temp in Windows Vista, Windows 7, and Windows 8.

%AppData% refers to the current users Application Data folder. By default, this is C:\Documents and Settings\<Current User>\Application Data for Windows 2000/XP. For Windows Vista and Windows 7 it is C:\Users\<Current User>\AppData\Roaming.

View Associated CoinVault Registry Information

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault=%AppData%\Microsoft\Windows\coinvault.exe" HKCU\Control Panel\Desktop\Wallpaper="%Temp%\wallpaper.jpg"

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus,Trojan,Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.

Login

Remember Me
Sign in anonymously