When you become infected with CoinVault it will configure itself to start automatically when you login to Windows by setting an autostart in the Registry called Vault. The application will then scan your drives for data files and encrypt any that are detected. It will store the path to each file it encrypts in the %Temp%\CoinVaultFileList.txt file. The file extensions that CoinVault targets are:
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2,.dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .lnk, .der, .cer, .crt, .pem, .pfx,.p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt, .zip, .rar, .mp4, .isoWhen it has finished encrypting your data it will then display a ransom screen that explains how you can pay a ransom to decrypt your files. Each infected user will also be assigned a different bitcoin address to make it harder to monitor payments for this malware. Unlike most other ransomware, CoinVault does not use a decryption site and instead the malware itself acts as the decrypter and payment system. This infection will also terminate almost all executables that are started to make it harder to remove.
Finally, this infection will change your Windows wallpaper to the background below:
There is some good news for those who are infected. When CoinVault encrypts your data it does not do so in a secure manner and does not wipe Shadow Volumes. This means that you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.
Nathan, our resident ransomware expert, is analyzing this malware and as more information is available we will post in our CoinVault Support Topic.
Thanks to user321 for providing a sample of this malware.
Files associated with CoinVault:
%AppData%\Microsoft\Windows\coinvault.exe %AppData%\Microsoft\Windows\edone %AppData%\Microsoft\Windows\filelist.txt %Temp%\CoinVaultFileList.txt %Temp%\wallpaper.jpgRegistry entries associated with CoinVault:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Vault "%AppData%\Microsoft\Windows\coinvault.exe" HKCU\Control Panel\Desktop\Wallpaper "%Temp%\wallpaper.jpg"