Kaspersky Lab has released all 14,000 decryptor keys for the ransomware variants CoinVault and Bitcryptor, a second-generation version of CoinVault. According to IT-Online, the security firm first discovered CoinVault back in May of 2014. This particular form of ransomware has since been targeting victims in approximately 20 countries, with The Netherlands, Germany, the United States, France, and the United Kingdom especially hard hit by the malware. CoinVault is known to have affected at least 1,500 Windows-based machines, encrypting victims' computers and demanding payment in Bitcoin for the decryption keys. The ransomware has also characteristically offered victims a "free decrypt" to illustrate that CoinVault's authors could indeed unlock the encrypted files.
The GUI of the CoinVault window, complete with the cybercriminal’s bitcoin address. (Source: CryptoCoins News) For more than a year, the CoinVault malware campaign proceeded largely undeterred. However, a major blow was dealt to the ransomware in September of this year when the National High Tech Crime Unit (NHTCU) arrested two individuals, aged 18 and 22, on suspicion of involvement in the ransomware attacks. During the investigation that followed those arrests, the NHTCU in cooperation with the Netherlands' National Prosecutor's Office obtained several databases from CoinVault's command-and-control (C&C) servers that contained, among other things, Installation Vectors (IVs), private Bitcoin wallets, and decryption keys. Researchers with Kaspersky used these resources to study CoinVault further, an analysis which revealed, among other things, that the ransomware uses the CFB block cipher mode as well as 256-bit AES. These findings enabled the security firm to publish more than 700 decryption keys in April of this year. Now Kaspersky has released all 14,000 keys.
"The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab, have been working together to fight the CoinVault and Bitcryptor ransomware campaigns," a page which hosts Kaspersky's decryption tool reads. "During our joint investigation we have obtained data that can help you to decrypt the files being held hostage on your PC. We are now able to share a new decryption application that will automatically decrypt all files for Coinvault and Bitcryptor victims. For more information please see this how-to guide. We are considering this case as closed. The ransomware authors are arrested and all existing keys have been added to our database."
This news follows on the heels of Cisco's Talos Security Intelligence and Research Group having announced in early October the disruption of a large ransomware campaign connected to the Angler Exploit Kit.
