Kaspersky Lab has released a repository of decryption keys, available to the public and free of charge, to decrypt files locked by CoinVault ransomware.
Numerous variations of ransomware have hijacked over 1,000 computers, locking files or blocking access to PC functions, and demanding a ransom payable in bitcoins. The decentralized, effectively anonymous nature of bitcoins means that the criminals can successfully repeat their attacks without fear of apprehension.
Victims of CoinVault would find a message informing them:
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
“Your personal documents and files on this computer have just been encrypted. The original files have been deleted and will only be recovered by following the steps described below. Click on “View encrypted files” to see a list of files that got encrypted.”
The message goes on to say that the keys needed to unlock the files will only be released upon the payment of a given sum of bitcoins to a certain address. To tempt the user, one file can be decrypted for free. Should the user decide to attempt deleting the CoinVault malware, “you will never be able to get your original files back.” Support is available by e-mailing firstname.lastname@example.org.
Kaspersky obtained the keys following a raid by the National High Tech Crime Unit (NHTCU) of the Netherlands police, which seized CoinVault servers. They contained vectors, keys and private bitcoin wallets. Kaspersky said that more keys will be added.
Kaspersky worked in collaboration with NHTCU and other law enforcement agencies and security software companies in the operation, coordinated by Interpol’s Global Complex for Innovation in Singapore, that culminated in the seizure of ten command-and control centers in the Netherlands.