CoinVault Ransomware’s Free File Decrypt A Show of Good Faith

A new piece of ransomware called CoinVault offers to decrypt a single file for free in hopes of encouraging victims to pay the ransom.

UPDATE: A prior version of this story incorrectly defined VSS as vulnerability scanning systems when in fact it refers to volume shadow copy service, which is a Windows automatic data backup and recovery mechanism. Thanks to commenter Rudy for pointing this out.

The courteous CoinVault ransomware offers its victims the opportunity to recover one file for free, as a sort of in-good-faith display that paying the decryption ransom will in fact restore locked files.

The new ransomware is otherwise fairly similar to contemporary threats such as CryptoLocker, Crowti, and CryptoWall. All of this malware encrypts the files on the hard drives of their victims and demands ransom payment in order for the user to recover those files. It also deploys the same 256-bit AES cryptography, a similar interface, and disables VSS (volume shadow copy service).

However, Tyler Moffitt of Webroot claims this is the first ransomware to entice users with free file recovery.

“What’s unique about this variant that I wanted to share with you all is that this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt,” Moffit wrote on the Webroot Threat Blog this morning. “It will let you pick any single file that you need after encryption and will decrypt it for you.”

To be clear: Moffitt tested the free decrypt feature and it actually works.

Moffitt suggests that the free file recovery feature could very well increase the number of users willing to pay the ransom required to decrypt their files. Now that CoinVault is out there, it’s very likely detectable by any decent antivirus solution. However, Moffitt notes that its authors could very well build a zero-day version of the threat, which would not be detected.  Therefore, he says a regular data backup routine is the best protection against this and similar malware.

CoinVault is also somewhat novel in the way it runs a 24-hour countdown in its user interface. While a lot of ransomware merely throws away the encryption key once the allotted payment period expires, CoinVault just adds some more Bitcoins to the total and restarts the clock. That process is repeated until the user pays the fee in full.

CoinVault Ransomware

CoinVault Ransomware

Suggested articles

Discussion

  • Rudy on

    The Webroot article mentions it kills VSS but you misinterpreted that to mean vulnerability scanning service. I think Moffitt is referring to the Windows Volume Shadow Copy Service (VSS) which can be used to restored data from a previous restore point.
    • Brian Donohue on

      Thanks for the heads up. Let me look into it and publish an update if needed.
    • Brian Donohue on

      You are correct. Story has been updated. Thanks again.
  • John Skalek on

    Does anyone do research anymore? This was in fact discovered by the people at BleepingComputer.com first and they wrote about it on the 11th. http://www.bleepingcomputer.com/forums/t/555781/a-new-ransomware-called-coinvault-has-been-released/ Furthermore, there is nothing new about the offer of free decryption on one file. CryptoWall and TorrentLocker both offered this months ago.
  • daniel on

    danshelto4[dot]wix[dot]com/coinvault try this, it worked for me

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.