This page is here to help people, infected with CoinVault ransomware. Read our guide below to learn how to decrypt CoinVault encrypted files
This is a trojan-ransomware virus that encrypts data (for this reason also known as cryptoware) and charges a ransom for the key to decipher it. It enters by stealth or trickery and proceeds to make your data unreadable, giving files .vault extensions. The key to the encryption is stored on a control server (located on a TOR – Dark Web – domain). This is contacted by the virus as soon as it enters the host system. This link is also used to communicate the ransom demand to the user and to facilitate payment. The key is as yet unbroken for this ransomware, so unless the victim pays, any recovery of the data must be done by first deleting CoinVault and attempting to recover previous copies of files. The virus first emerged in Slavic countries in 2015 and is thought to originate in Russia. This virus can also download a browser password dump tool that will be used to steal log-in information which is then uploaded to a TOR ‘site for future villainy…
How CoinVault enters a system
As with most of these damned extortion parasites, they enter as a result of vulnerability in the system, in software downloads or as a result of the inattention of the user. Whilst some ransomware has one predominant, or more successful route to drop its trojan, all these methods can be employed and should be guarded against. These are preventable, though often the trickery employed in getting the unwary user to make a mistake can be quite sophisticated: spam e-mails that can appear to be from government or financial institutions requiring you to open an attachment to reveal information supposedly of financial benefit; pop-ups offering updates of popular freeware like V.L.C or Flash Player; embedded trojans in free downloads (that may be legitimate, though have the virus bundled in) and torrents, &c; EK attacks (Exploitation Kits) that target browser/system vulnerability and then drop a trojan – these can be carried out on dubious ‘sites, or legitimate ones compromised by hackers, or on peer-to-peer blogs; redirection to a dubious ‘site as a result of clicking on a random advert and more rarely, manual hacking through Remote Desktop Protocol (RDP) or unsecured networks. So, most of these avenues – if not all – can be secured. It is far easier to stop CoinVault entering your system. Dealing with the consequences of infection and uninstalling CoinVault after it’s penetrated is much more trouble and will inevitably result in data loss and possible identity theft.
What to do if infected by CoinVault
The earlier that you find this has entered your system the less damage. Work out a plan, because repeated start-ups and prolonged usage before successful deletion will result in the virus becoming stronger. Ideally, a thorough security suite will have a firewall to warn of it’s presence and quarantine or destroy it. If this isn’t done, then a good anti-virus program should detect it early. If the infection can be dealt with before the encryption is complete, then data can be saved. While some less advanced security software will not detect CoinVault, immediately, there are manual signs that may indicate a trojan: slowing of processing speed; momentary, random system (and screen) freezing; increase in pop-ups; unsolicited connections to the ‘net. If you notice these signs, disconnect from the internet (both wired and wireless) immediately, as well as any network connections. Back-up all files to an external drive or USB flash. Introduce quality security software that states that it recognizes this virus. Or, manually remove CoinVault in Safe Mode with Networking as detailed below. Then attempt to find copies of any encrypted files in system back-up by doing a System Restore and searching for Previous Copies, or in shadow volume copies using a tool like Shadow Explorer (download this at window.microsoft.com).
How to decrypt CoinVault files
To decrypt CoinVault encrypted files, please follow the steps below:
STEP 1: Download the free CoinVaultDecryptor from here: https://noransom.kaspersky.com/static/CoinVaultDecryptor.zip
STEP 2: Extract the .zip archive
STEP 3. Double-click on CoinVaultDecryptor.exe
STEP 4. Click Change parameters
STEP 5. Uncheck List of encrypted files. Check Folder with encrypted files.
STEP 6. Click Start scan. Wait until the utility finishes the decryption process. Sometimes it may take even days, so please, be patient. Do not turn off the computer, nor close the running tool.
How to Prevent CoinVault
* Install the most advanced anti-virus/malware program you can find that has regular updates;
* Update your browser. Place settings to a maximum threat warning;
* Always use Advance/Custom download and installation options;
* Don’t open dubious files/e-mails/pop-ups offers;
* Secure – or disable – RDP;
* Secure networks for access only to Authenticated Users;
* Research Software Restriction Policies. They block executable files from running when located in specific paths (for instructions see the Microsoft website).
* Perform back-ups regularly and copy all personal files to external drives or cloud storage.
Good practice is paramount to preventing infection. This is underpinned by advance detection: software that can identify threats before they try to enter your system, and that can eliminate CoinVault and variant threats… lock the gates to your system before a ransomware infection locks you out of your files!
