Ransomware is a type of infection your computer can pick up that basically locks you out of your computer until you pay a ransom to release it. Although Coinvault is a few months old, it is re-surfacing on computers. Detecting this infection is pretty straightforward – you’ll see nothing but a screen similar to this:
Step 1 – get the Bitcoin wallet address. This is displayed in the box at the lower-right of the screen. It will be something similar to 1Kav9PXogqIYApmZWqt59bUJitVy96 (this is a random example). It is very important to save this wallet address!
Step 2 – get the encrypted file list by clicking the button on the top left corner of the Coinvault box. Save the output to a file.
Step 3 – remove CoinVault. Go to https://kas.pr/kismd and download the trial version of Kaspersky Internet Security. Install it and remove Coinvault from your computer.
Step 4 – navigate to https://noransom.kaspersky.com. You can submit the Bitcoin wallet address from Step 1. If your Bitcoin wallet address is known, the IV and Key will appear on the screen. Please note that multiple keys and IVs may appear. If this is the case, please save all the keys and IVs to your computer, you will need them later.
Step 5 – download the decryption tool from https://noransom.kaspersky.com/ and run it on your computer. If you get an error message, as shown below, go to step 6. If not you can go to step 7.
Step 6 – download and install additional libraries from http://www.microsoft.com/en-us/download/details.aspx?id=40779 and following the instructions on the website.
Step 7 – decrypt your files. Start the tool and you will see a screen as shown below.
When running the tool for the first time , we strongly advise the following:
- click on “select file” in the Single File Decryption box and select the file you want to decrypt
- enter the IV from the webpage into the IV box
- enter the key from the webpage into the key box
- click on “start”
Verify whether the newly created file is properly decrypted. If this is the case, you can select “Overwrite encrypted file with decrypted contents”, select the file list from step 2, and click on “start” again.
If you received multiple IVs and keys when you entered your Bitcoin wallet address, please be very careful. At the moment we are not 100% sure where the multiple IVs and keys for one Bitcoin wallet come from. Therefore we suggest leaving the “Overwrite encrypted file with decrypted contents” unticked, and trying to decrypt one file first (you can get this file from the list obtained in step 2). If the new file is not properly decrypted, try with another key IV pair until the file is successfully decrypted. This should be done for all the files.