So i became a victim of this randsomware, i found an article on how to get
rid of it. But me personally still reinstalled the Windows since i had
nothing to lose. But thats just personal think. Enjoy peeps.
In most cases, if you are a victim of ransomware, there’s nothing you can do. Luckily, from time to time
police and cybersecurity companies take down command and control servers
of ransomware and retrieve information from them. This information is
really useful, because it helps to create decryption tools and to
recover users’ files. Recently, Dutch cyber-police and Kaspersky Lab
created such a solution for CoinVault victims.
If you want to know more about CoinVault itself, you can read our detailed report at Securelist. If you are interested in exactly how we created a decryption solution, we covered it in a very detailed blog post. If you are looking for instruction on how to get rid of this ransomware and restore your files, then keep reading below.
Step 1: Are you infected with CoinVault?
First, make sure your files are stolen by CoinVault and not by
another ransomware. It’s fairly easy to determine: If you are infected
with CoinVault, you will see an image like below:
Step 2: Get the Bitcoin wallet address
In the bottom right of CoinVault you will see the Bitcoin wallet
address (it’s marked with a black circle on the image above). It’s very
important for you to copy and save this address!
Step 3: Get the encrypted file list
In the top left corner of the malware window you will see a ‘View
encrypted filelist’ button (it’s marked with blue circle on the image
above). Click this button and save the output to a file.
Step 4: Remove CoinVault
Go to https://kas.pr/kismd-cvault and download the trial version of Kaspersky Internet Security. Install
it and it will remove CoinVault from your system. Be sure to save all
information retrieved in steps 2 and 3.
Step 5: Check https://noransom.kaspersky.comAt https://noransom.kaspersky.com you should enter the Bitcoin wallet address from step 2. If your
Bitcoin wallet address is known, the IV and Key will appear on the
screen. Please note that multiple keys and IVs may appear. In this case
save all the keys and IVs to your computer, you will need them later.
Step 6: Download the decryption tool
Download the decryption tool at https://noransom.kaspersky.com and run it on your computer. If you get an error message, as shown
below, go to step 7. If not, skip step 7 and proceed to step 8.
Step 7: Download and install additional libraries
Go to http://www.microsoft.com/en-us/download/details.aspx?id=40779 and follow the instructions on the website. Then install the software.
Step 8: Start the decryption tool
Start the tool and you will see a screen like below:
Step 9: Test if the decryption works properly
When running the tool for the first time, we strongly advise you to do a test decryption. Do the following:
- Click “Select file” button in the “Single File Decryption” box and select one file you want to decrypt;
- Enter the IV from the webpage into the IV box;
- Enter the key from the webpage into the key box;
- Click “Start” button.
Verify whether the newly created file is properly decrypted.
Step 10: Decrypt all files stolen by CoinVault
If everything was okay in step 9, then you can recover all your files
at once. To do that select the file list from step 3, enter IV and key
and click start. You can select “Overwrite encrypted file with decrypted
contents” if you want.
Recover your files stolen by #CoinVault #ransomware. Free of chargeTweetIf you received multiple IVs and keys when you entered your Bitcoin
wallet address, please be very careful. At the moment we are not 100%
sure where the multiple IVs and keys for one Bitcoin wallet come from.
In this case, we strongly recommend leaving the “Overwrite encrypted
file with decrypted contents” box unticked. If something goes wrong with
the decryption you can try another IV+key pair until the file is
If you didn’t receive the IV and key at all, you should wait and check https://noransom.kaspersky.com. The investigation is ongoing, and we will add new keys as soon as they are available.