No Ransom: The National High Tech Crime Unit of the Netherlands’ police and Kaspersky Lab help victims to escape from CoinVault ransomware

Woburn, MA – April 13, 2015 - Starting today, victims of the CoinVault ransomware have a chance to retrieve their data without having to pay the criminals, thanks to a repository of decryption keys and a decryption application made available online by Kaspersky Lab and the National High Tech Crime Unit (NHTCU) of the Netherlands’ police. The keys and the tool can be found on noransom.kaspersky.com, together with clear instructions on how to implement them.

CoinVault ransomware has been around for a while, encrypting victims’ files and demanding Bitcoins to unlock them. In order to help victims recover from an attack, the NHTCU and the Netherlands’ National Prosecutors Office obtained a database from a CoinVault command & control sever. This server contained Initialization Vectors (IVs), Keys and private Bitcoin wallets and helped Kaspersky Lab and the NHTCU to create the special repository of decryption keys. As the investigation is ongoing, new keys will be added when available.

“If you get infected with the CoinVault ransomware, please check noransom.kaspersky.com. We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular Bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information,” - says Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab.

CoinVault has infected more than 1,000 Windows-based machines in over 20 countries, with the majority of victims in the Netherlands, Germany, the USA, France and the UK. Victims have also been registered in Belgium, Austria, Switzerland, Norway, Sweden, Luxemburg, Denmark, Slovakia, Slovenia, Spain, Italy, Hungary, Ireland, Croatia, Russia, Canada, Israel, the United Arab Emirates, China, Indonesia, Thailand, South Africa, Australia, New Zealand, Panama, the Dominican Republic, and Mexico.

“Nowadays, many believe that combatting cybercrime requires public-private partnerships. We do it. Just talk to your partners, identify how you can help each other achieve a mutual aim: helping cybersecurity.” - explains Marijn Schuurbiers from the High Tech Crime Team of the Dutch Police.

Kaspersky Lab security experts also analyzed the malware samples and designed and built a decryption tool that can unlock files and delete the CoinVault malicious program from infected computers.

To discover how to remove the CoinVault ransomware from your computer and restore your files, please visit https://noransom.kaspersky.com/

To help prevent being infected by ransomware it is recommended to keep your anti-malware suite updated and make a habit of backing up your most important files.

Kaspersky Lab detects this family as 'Trojan-Ransom.Win32.Crypmodadv.cj'. 

About Kaspersky Lab

Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 17-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 400 million users worldwide. Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact
Sarah (Bergeron) Kitsos 
781.503.2615
sarah.kitsos@kaspersky.com

* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2013. The rating was published in the IDC report "Worldwide Endpoint Security 2014–2018 Forecast and 2013 Vendor Shares (IDC #250210, August 2014). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2013.