CoinVault is a new ransomware from the same family as CryptoGraphic Locker. Once infected, CoinVault will encrypt all of your data files and then demand a .7 bitcoin ransom to decrypt your files. If you do not pay the ransom within 24 hours, the ransom price will increase. It is strongly advised that you do not pay the ransom and instead try to restore your files from backups or Shadow Volume Copies
When you become infected with CoinVault it will configure itself to start automatically when you login to Windows by setting an autostart in the Registry called Vault. The application will then scan your drives for data files and encrypt any that are detected. It will store the path to each file it encrypts in the %Temp%CoinVaultFileList.txt file. The file extensions that CoinVault targets are:
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2,.dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .lnk, .der, .cer, .crt, .pem, .pfx,.p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif, .bmp, .exif, .txt, .zip, .rar, .mp4, .iso
When it has finished encrypting your data it will then display a ransom screen that explains how you can pay a ransom to decrypt your files. Each infected user will also be assigned a different bitcoin address to make it harder to monitor payments for this malware. Unlike most other ransomware, CoinVault does not use a decryption site and instead the malware itself acts as the decrypter and payment system. This infection will also terminate almost all executables that are started to make it harder to remove.
Finally, this infection will change your Windows wallpaper to the background below:
There is some good news for those who are infected. When CoinVault encrypts your data it does not do so in a secure manner and does not wipe Shadow Volumes. This means that you can use a file recovery tool to undelete your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.
Files associated with CoinVault:
%Temp%wallpaper.jpgRegistry entries associated with CoinVault:
Registry entries associated with CoinVault:
HKCUControl PanelDesktopWallpaper “%Temp%wallpaper.jpg”