UPDATE: A prior version of this story incorrectly defined VSS as vulnerability scanning systems when in fact it refers to volume shadow copy service, which is a Windows automatic data backup and recovery mechanism. Thanks to commenter Rudy for pointing this out.

The courteous CoinVault ransomware offers its victims the opportunity to recover one file for free, as a sort of in-good-faith display that paying the decryption ransom will in fact restore locked files.

The new ransomware is otherwise fairly similar to contemporary threats such as CryptoLocker, Crowti, and CryptoWall. All of this malware encrypts the files on the hard drives of their victims and demands ransom payment in order for the user to recover those files. It also deploys the same 256-bit AES cryptography, a similar interface, and disables VSS (volume shadow copy service).

However, Tyler Moffitt of Webroot claims this is the first ransomware to entice users with free file recovery.

“What’s unique about this variant that I wanted to share with you all is that this is the first Encrypting Ransomware that I’ve seen which actually gives you a free decrypt,” Moffit wrote on the Webroot Threat Blog this morning. “It will let you pick any single file that you need after encryption and will decrypt it for you.”

To be clear: Moffitt tested the free decrypt feature and it actually works.

Moffitt suggests that the free file recovery feature could very well increase the number of users willing to pay the ransom required to decrypt their files. Now that CoinVault is out there, it’s very likely detectable by any decent antivirus solution. However, Moffitt notes that its authors could very well build a zero-day version of the threat, which would not be detected.  Therefore, he says a regular data backup routine is the best protection against this and similar malware.

CoinVault is also somewhat novel in the way it runs a 24-hour countdown in its user interface. While a lot of ransomware merely throws away the encryption key once the allotted payment period expires, CoinVault just adds some more Bitcoins to the total and restarts the clock. That process is repeated until the user pays the fee in full.

CoinVault Ransomware

CoinVault Ransomware

Categories: Malware

Comments (5)

  1. Rudy
    1

    The Webroot article mentions it kills VSS but you misinterpreted that to mean vulnerability scanning service. I think Moffitt is referring to the Windows Volume Shadow Copy Service (VSS) which can be used to restored data from a previous restore point.

Comments are closed.