Files encrypted by CoinVault ransomware? New free tool may decrypt them

Victims of the CoinVault ransomware might be able to decrypt their files with a free tool released by Kaspersky Lab together with the Dutch police.

The tool can be found at https://noransom.kaspersky.com. The application uses decryption keys found by the Dutch police as part of an investigation.

Ransomware like CoinVault encrypts data on a disk or blocks access to a computer system. It is usually installed by exploiting a vulnerability on victims’ computers via phishing emails or links to malicious websites.

Unlike other ransomware, CoinVault lets victims see a list of the files it encrypted and decrypt one for free to try to get people to pay up.

The National High Tech Crime Unit (NHTCU) of the Dutch police recently obtained a database from a CoinVault command-and-control server containing decryption keys, the Dutch police said in a news release. The information obtained from that database allowed Kaspersky to build a decryption tool.

The tool isn’t 100 percent effective, but, as the investigation advances, the police hope to discover new keys and improve the tool’s success rate, said Kaspersky researcher Jornt van der Wiel, who helped build the decryption tool.

The Dutch police has not made any arrests in connection with the ransomware but said it soon might because the perpetrator behind the CoinVault ransomware is suspected to be in the Netherlands.

Victims of ransomware are encouraged to report attacks to the police because reports by a company and an individual led to the discovery of the keys and to a possible lead on a suspect, the police said.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Related:
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.