Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A new ransomware called CoinVault has been released


  • Please log in to reply
24 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,073 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 11 November 2014 - 09:12 PM

CoinVault is a new ransomware from the same family as CryptoGraphic Locker. Once infected, CoinVault will encrypt all of your data files and then demand a .7 bitcoin ransom to decrypt your files. If you do not pay the ransom within 24 hours, the ransom price will increase. It is strongly advised that you do not pay the ransom and instead try to restore your files from backups or Shadow Volume Copies.



coinvault.jpg


When you become infected with CoinVault it will configure itself to start automatically when you login to Windows by setting an autostart in the Registry called Vault. The application will then scan your drives for data files and encrypt any that are detected. It will store the path to each file it encrypts in the %Temp%\CoinVaultFileList.txt file. The file extensions that CoinVault targets are:
 
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2,.dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .lnk, .der, .cer, .crt, .pem, .pfx,.p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt, .zip, .rar, .mp4, .iso
When it has finished encrypting your data it will then display a ransom screen that explains how you can pay a ransom to decrypt your files. Each infected user will also be assigned a different bitcoin address to make it harder to monitor payments for this malware. Unlike most other ransomware, CoinVault does not use a decryption site and instead the malware itself acts as the decrypter and payment system. This infection will also terminate almost all executables that are started to make it harder to remove.

Finally, this infection will change your Windows wallpaper to the background below:
 

wallpaper.jpg


There is some good news for those who are infected. When CoinVault encrypts your data it does not do so in a secure manner and does not wipe Shadow Volumes. This means that you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.

Nathan, our resident ransomware expert, is analyzing this malware and as more information is available we will post in our CoinVault Support Topic.

Thanks to user321 for providing a sample of this malware.

Files associated with CoinVault:
 
%AppData%\Microsoft\Windows\coinvault.exe
%AppData%\Microsoft\Windows\edone
%AppData%\Microsoft\Windows\filelist.txt
%Temp%\CoinVaultFileList.txt
%Temp%\wallpaper.jpg
Registry entries associated with CoinVault:



HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault	"%AppData%\Microsoft\Windows\coinvault.exe"
HKCU\Control Panel\Desktop\Wallpaper	"%Temp%\wallpaper.jpg"


BC AdBot (Login to Remove)

 


#2 Xirw

Xirw

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 12 November 2014 - 12:07 AM

Meh, Kinda seems like a lazy, cheap cryptolocker variant to me.

#3 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:01:47 PM

Posted 12 November 2014 - 08:14 AM

Meh, Kinda seems like a lazy, cheap cryptolocker variant to me.

 

I'm sure this isn't "meh" news to people infected with this variant. They can breathe a sigh of relief knowing that they don't HAVE to pay to get their information back.



#4 Aerys

Aerys

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:47 PM

Posted 12 November 2014 - 10:16 AM

I'd rather see this come into my shop than the CryptoLocker 2.0 that I have been seeing, it sucks to tell people you can't do anything to help them and that all of their files are gone. I wonder how long it will take the author to update it and fix the flaws...


Edited by Aerys, 12 November 2014 - 10:21 AM.

He said the same thing he had been saying for hours... "burn them all".

-Jaime Lannister

Feel free to add me on Skype for help or to chat; lolballinn


#5 dicke

dicke

    Paraclete


  • Members
  • 2,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:02:47 PM

Posted 12 November 2014 - 11:12 AM

I'd rather see this come into my shop than the CryptoLocker 2.0 that I have been seeing, it sucks to tell people you can't do anything to help them and that all of their files are gone. I wonder how long it will take the author to update it and fix the flaws...

Could we be lucky enough that he/she doesn't know how?


Stay well and surf safe [stay protected]

Dick E


#6 jeffdavis

jeffdavis

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 12 November 2014 - 12:30 PM

Let's hope.  But we probably wont be that lucky.  



#7 Aerys

Aerys

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:02:47 PM

Posted 12 November 2014 - 02:20 PM

Could we be lucky enough that he/she doesn't know how?

 

Looks like there is a small chance, since it is fairly easy to come across the source for something like this. I wouldn't hold my breath :unsure:


He said the same thing he had been saying for hours... "burn them all".

-Jaime Lannister

Feel free to add me on Skype for help or to chat; lolballinn


#8 dicke

dicke

    Paraclete


  • Members
  • 2,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:02:47 PM

Posted 12 November 2014 - 04:16 PM

I'm never surprised at the lengths some people will go to to destroy the property of others - usually because they can't / won't work hard enough to get the same things for themselves.

 

Dick


Stay well and surf safe [stay protected]

Dick E


#9 IllusionEclipse

IllusionEclipse

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chillin in my Compspace
  • Local time:04:47 AM

Posted 13 November 2014 - 12:11 AM

Let's just hope that another case of this doesn't happen here like last time:

 

 

 

When you tell a programmer, even a malware developer, what is wrong with their program it makes sense that they are going to fix it. Unfortunately, it seems that the malware devs behind the TorrentLocker ransomware were listening because as of yesterday they started using a new encryption method. 


Original Article: TorrentLocker now uses stronger encryption due to tips from security researchers


An illusion is as real as the person who sees it, but wouldn't that be an illusion in and of itself?


#10 User321

User321

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 13 November 2014 - 08:28 AM

the targeted file extension list is incomplete, i know it goes for .zip, .rar, .mp4 and .iso also..


Edited by User321, 13 November 2014 - 11:10 AM.


#11 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:12:17 AM

Posted 13 November 2014 - 08:46 AM

Did a fix arrive?
It seems that people (mal dev ) are interested in making money with what they have, some smoke of confusion and fear.
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,073 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:47 PM

Posted 13 November 2014 - 12:38 PM

the targeted file extension list is incomplete, i know it goes for .zip, .rar, .mp4 and .iso also..


Thanks..updated the first post.
 
 

Did a fix arrive?
It seems that people (mal dev ) are interested in making money with what they have, some smoke of confusion and fear.


Unfortunately, it does not look promising at this point, but we are still looking into it.

Shadow Volumes are your best bet right now if you do not have a backup.

#13 Sumwan

Sumwan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 13 November 2014 - 05:21 PM

My parents' computer got infected with this ransomware. They have NO backups enabled. I have deleted coinvault, and have restored their computer with systemrestore. However, ALL their files are still encrypted. I have managed to restore the files on the c: drive with the help of shadow explorer. However, they have several more drives with years of photos and other precious files stored on it, which have no shadow volume available. Is there anything I can do to recover these files? We are really upset and don't know what to do.



#14 ginnyoneal

ginnyoneal

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the woods
  • Local time:11:47 AM

Posted 13 November 2014 - 06:42 PM

Can't the authorities do something? You would think that the law would be able to stop these people.



#15 dicke

dicke

    Paraclete


  • Members
  • 2,130 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Charlotte, NC
  • Local time:02:47 PM

Posted 13 November 2014 - 09:40 PM

Can't the authorities do something? You would think that the law would be able to stop these people.

Which law in what country? If you can discover the origin of the threat there may be some ways to eliminate them. Otherwise you shouldn't shoot when you have no target.

Sad fact of computing today


Stay well and surf safe [stay protected]

Dick E





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users