Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CoinVault Ransomware Support and Help Topic


  • Please log in to reply
118 replies to this topic

#1 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 13 November 2014 - 09:38 PM

This month of November a new Encryption Infection has surfaced named "CoinVault". Looking at the main screen of the infection, it quickly becomes apparent that this infection looks exactly like Cryptographic Locker just with a different name and logo, Which i will discuss later. CoinVault, like every other encryption infection, will begin encrypting certain file types once started. When completing the encryption, the main infection screen will appear. This screen acts as the description of the infection, the purchase page, One Free Decryption feature, and decryption. The amount of payment seems to start at anywhere between .05 BTC to 1 BTC, and after 24 hours the price is raised. The application checks every 2 minutes to see what the current rate of BTC is from Bitcoinaverage.com, along with checking the infections server to see if you have paid any amount of BTC yet. Now lets get into more detailed information!



gui1.png

Coinvault Main Screen

 

 

 

gui2.png

Coinvault Free Decrypt Screen

 

 

 

wallpaper.png

Coinvault wallpaper

 

 

File additions and registry changes are:

%Temp%\CoinvaultFileList.txt
%Temp%\wallpaper.jpg
<Path to Dropper>\<random.exe>

HKCU\Control Panel\Desktop\Wallpaper    "C:\Users\User\AppData\Local\Temp\wallpaper.jpg"    (old value="")
HKCU\Control Panel\Desktop\WallpaperStyle    "1"    (old value="10")
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vault

 
 
CoinVault Ransomware Analysis: (Advanced)
 
Now for the real technical side. This infection was equipped with three layers of protection: A makeshift packer made in .NET, A RunPE Protector named S.H.I.E.L.D that seems to be made from a kit, and Obfuscated/Encrypted and protected with .NET Confuser 1.9, a extremely great security application for protecting .NET applications. But i wont be going into any information on the protection on this post.
 
Unfortunately, after decrypting and reversing the infection, i found that the infection is using AES encryption with a Randomly Generated key made from a Cryptographic .NET function that is secure. It is then sent to a hacked server for safe keeping and is never stored on the computer. Both the key and IV used are 32 digits that are alphanumeric and special charters. So basically this means that the key is not recoverable without access to the hacked server and the encryption is not breakable. Also, because the server isn't the virus creators, it makes paying the infection even more dangerous because at any moment the real server owners could wipe the keys, regain access, and you will not get your decrypt, even if you would at all.
 
 
Key Generation:

generatekey.png
This is the function that the infection uses to generate its Key and IV. The region that says "Array" is a hidden array that consists of every letter in the alphabet, every number, and special characters. The RNGCryptoSeriveProvider is then used to to generate random numbers in a loop to pick out random characters in the array. This successfully creates a Cryptographic sound Key and IV.
 

Key retrieval:

sendkey.png
After the infection generate the Key and IV, it is then sent up to the server where it is then associated with your FingerPrintValue, which is a value made from your computers GUID, your username, and your computer name. Its a unique value that from this point on when this infection communicates with the server, identifies you. A few reasons it will call home is to check if paid, check your one free decrypt, and time left until the price is increased.
 
 
Encryption Function:

 

encryption.png

 

Here the Key and IV, along with the specified file is used to encrypt each file. The encryption is AES and is secure against all attacks. Below is a list of all files infected:

".odt",".ods",".odp",".odm",".odc",".odb",".doc",".docx",".docm",".wps",".xls",".xlsx",".xlsm",".xlsb",".xlk",".ppt",".pptx",".pptm",".mdb",".accdb",".pst",".dwg",".dxf",".dxg",
".wpd",".rtf",".wb2",".mdf",".dbf",".psd",".pdd",".pdf",".eps",".ai",".indd",".cdr",".dng",".3fr",".arw",".srf",".sr2",".mp3",".bay",".crw",".cr2",".dcr",".kdc",".erf",".mef",".mrw",".nef",".nrw",".orf",".raf",".raw",".rwl",".rw2",".r3d",".ptx",".pef",".srw",".x3f",".der",".cer",".crt",".pem",".pfx",".p12",".p7b",".p7c",".jpg",".png",".jfif",".jpeg",".gif",
".bmp",".exif",".txt"

Edited by Nathan, 13 November 2014 - 09:39 PM.

Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


#2 Treveo

Treveo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 14 November 2014 - 08:14 AM

Just an idea: You can decrypt one file for "free". Can't you use Wireshark or something to get the key and IV if CoinVault tries to communicate with a hacked server?



#3 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 14 November 2014 - 02:50 PM

Sadly no, the infection uploads the file of choice to the server, decrypts it there and send it back.


Have you performed a routine backup today?

#4 User321

User321

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 17 November 2014 - 10:26 PM

.. so there's multiple versions of this one out there? because decrypting the affected files looked promising when i submitted this..



#5 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 17 November 2014 - 10:39 PM

Nope, this is even the dropper from you i believe. You simply got a false positive because you were decrypting the same file that you used to create the key,You cannot do this. 

 

Sadly, this infection has a secure encryption. Sorry.


Have you performed a routine backup today?

#6 User321

User321

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 18 November 2014 - 01:27 PM

Hmm, while i didn't think i was that foolish, i just tried again and it appears you are right..

Oh well, i've managed to redownload most of my files, and i can probably live without most of the pictures, i guess.. because there's no  :censored: way i'm paying what must be around 5BTC now with those daily increments (if it were even possible, i've removed the infection already)

 

I'll take this as a learning experience: i will be putting my more important stuff in at least one (offline/offsite) backup location from now on, as my raid5 works pretty well for most other disasters, but i just wasn't prepared for this type of mess.



#7 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 18 November 2014 - 02:04 PM

I'm very sorry for the bad news. I always reverse every infection I can just in case, and sadly this one turned out like most of them do, secure.

 

With infection sources getting easier to access by even the lowest of computer kiddies, the need to make there own goes through the roof, and they just grab a already secure one, and gain access to a low secured server, and bam, a new infection.

 

again, I'm sorry. I'll be releasing a application to fight these things soon, keep updated on the threads :)


Have you performed a routine backup today?

#8 punx

punx

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 19 November 2014 - 01:38 PM

I have been infected by this virus, Just to confirm before I do anything permanent...

 

There is not much hope of decryptor programs being developed? So best course of action is to remove the virus and lose my files forever?

(or pay for it, which would be difficult since the first day's ransom exceeds my total bank balance already)



#9 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 19 November 2014 - 01:49 PM

sadly yes, I'm sorry for the bad news.


Have you performed a routine backup today?

#10 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 AM

Posted 19 November 2014 - 07:26 PM

From this link: http://www.pcrisk.com/internet-threat-news/8430-coinvault-ransomware-offers-interesting-feature

 

Seems it hasn't touched Shadow volumes yet, so files might be recovered using Shadow Explorer.

 

(I hope I got that right).



#11 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 19 November 2014 - 07:34 PM

The packer of the infection does remove restore points (not sure why they are saying it doesn't), but these commands fail alot, so its always god to check.


Have you performed a routine backup today?

#12 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:05 AM

Posted 19 November 2014 - 07:46 PM

Ah, I knew that was too easy :)

 

I have Cryptoprevent, and not being too sophisticated, I guess it is self contained and can evade that protection?

 

Most of these things try to get in via email, but are now being hosted on ads. So Firefox, with NoScript and Adblockers work?

 

Gene



#13 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:05 PM

Posted 19 November 2014 - 09:34 PM

Ah, I knew that was too easy :)
 
I have Cryptoprevent, and not being too sophisticated, I guess it is self contained and can evade that protection?
 
Most of these things try to get in via email, but are now being hosted on ads. So Firefox, with NoScript and Adblockers work?
 
Gene

CryptoPrevent is a good start. It's best NOT to surf the Internet, logged in with an "administrator" account.

Activate the "Guest" account and login: Firefox with NoScript, Adblockers, or Ghostery. With Internet Explorer, disable all scripting (java, javascript) and active X. Surf the Internet only logged in as a Guest.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#14 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 19 November 2014 - 11:47 PM

Even off of a admin account, the infection will still run at highest cred. as possible, which 99% of the time will still effect personal file locations.


Have you performed a routine backup today?

#15 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:05 PM

Posted 20 November 2014 - 01:31 AM

Even off of a admin account, the infection will still run at highest cred. as possible, which 99% of the time will still effect personal file locations.

Let's assume for a minute, that the ransomware executes in a "Guest" account, bypassing CryptoPrevent (previously installed and configured in the admin account), and with scripting disabled, and attends to run at the highest credentials?

It will need your approval, by typing in the administration password and authorising it.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users