Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CoinVault ransomware decrypter now available through Kasperksy


  • Please log in to reply
12 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:05 PM

Posted 13 April 2015 - 08:26 AM

Today Kaspersky announced the availability of a free decryption application for those affected by the CoinVault ransomware. In a joint operation between Kaspersky, the National High Tech Crime Unit (NHTCU) of the Netherlands' police, and the Netherlands' National Prosecutors Office a database of some of the private decryption keys were seized from CoinVault's Command & Control server. Using this database Kaspersky has created a dedicated site and decryption application that can be used to decrypt files encrypted by CoinVault. Unfortunately, in our tests the database is incomplete and does not contain every bitcoin address associated with CoinVault victims.

 

ransomware-decryptor-site.jpg



To check to see if Kaspersky was able to recover your decryption key, go to the site https://noransom.kaspersky.com/ and enter the bitcoin address that is displayed in the CoinVault program. Once you enter the Bitcoin address, the site will search through the decryption key database and check to see if they have your key. If the site is unable to find your bitcoin address it will state Currently we do not have any records for this Bitcoin wallet.. Otherwise it will show the IV code and key that is associated with your bitcoin address. You will need this information to decrypt your files using their decryption application.

If you are able to retrieve your information, you should download Kaspersky's CoinVault Decryptor and enter in the IV code and Key that the site displayed. You can then either decrypt an individual file or all of your encrypted files. If you wish to decrypt all of your encrypted files, you need to browse to the filelist.txt file that contains a list of all your encrypted files. This file is usually located at %AppData%\Microsoft\Windows\filelist.txt.

 

decryption-applications.jpg



Once you are ready to decrypt your files, click on the Start button. After performing the mass decryption process utilizing the filelist.txt list, if there are any data files still encrypted you can use the tool to decrypt those leftover files individually. If there are many files leftover, you can enter their paths into a text file and use that file as your encrypted file list.

Kaspersky provides instructions on how to use the program, but unfortunately it does not address some issues. For example, if the CoinVault program is unable to access the Command & Control server, it will not make itself visible. Therefore, you may be unable to access your bitcoin addresses. Furthermore, if you are not able to access the GUI for the ransomware, you cannot use the instructions for exporting the file list. If you know your CoinVault bitcoin address, you can access the file list using the path described above.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:05 PM

Posted 13 April 2015 - 08:40 AM

Your URL link is broken Grinler :P
 
[url=http://www.bleepingcomputer.com/virus-removal/coinvault-ransomware-information][b]CoinVault Ransomware[/b][/url]
Any hints that let guess if they plan on seizing more servers?

Edited by Aura., 13 April 2015 - 08:41 AM.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 13 April 2015 - 08:54 AM

Any hints that let guess if they plan on seizing more servers?

From the decryption website itself...

Please note that this is an ongoing investigation and new keys will be added in the future.

I sure hope they do :)

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:05 PM

Posted 13 April 2015 - 08:56 AM

Gotta love Kaspersky :) I wonder if they plan on seizing servers for other Cryptowares as well. It honestly looks nice for an Antivirus company to work with the Law Enforcement and take down Cybercriminals :P

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 13 April 2015 - 09:02 AM

You will have to ask law enforcement for that... remember, Kaspersky Labs only wrote the decryption utility - they do not *actually* do the seizing of key databases.

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:05 PM

Posted 13 April 2015 - 09:06 AM

I guess they can help with the logistics behind where the servers would be located and all. Of course, they don't send employees there to participate in the "seize", but I'm sure that they do more than simply writing the decryption utility. Probably like FireEye and FoxIT back with CryptoLocker.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,270 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:05 PM

Posted 13 April 2015 - 09:15 AM

Fixed the link. From my testing, I could not get one a coinvault associated bitcoin address to be found in a lookup, but I hope that they are adding more as we speak.

#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:05 AM

Posted 13 April 2015 - 10:28 AM

By the way Grinler, the title has a typo ("Kasperksy" at the end).

#9 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,153 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:05 AM

Posted 14 April 2015 - 09:20 AM

Hi Grinler.

 

Topic name is CoinVault ransomware decrypter now available through Kasperksy.

 

Should be: CoinVault ransomware decryptor now available through Kaspersky (Based on Kaspersky's website.)

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#10 suppasak

suppasak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 23 April 2015 - 05:45 AM

Hi,

If my bit coin address is not in Kaspersky database.How I do next step?

bitcoin address

19QJNRuaNCJgsrCvtSvLC7vNUgx989wc4q



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:05 PM

Posted 23 April 2015 - 07:04 AM

Hi suppasak :)

Sadly it means that they don't have your private key or they didn't seize the keys associated with the Bitcoin ransom address you have. For now, I suggest you to back up your encrypted file somewhere and wait for updates from Kaspersky as the investigation is on-going, they might add more private keys as they seize new C&C servers.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 suppasak

suppasak

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 23 April 2015 - 08:21 PM

Hi ,Aura

God bless, I will waiting Kaspersky update privet key every day.I cry so much. T_T



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:05 PM

Posted 23 April 2015 - 08:29 PM

You can follow them on Facebook or Twitter if you want to have updates on that situation. They'll post something as soon as they get more private keys.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users