CoinVault baits users by decrypting one file only to encrypt all others
The latest ransomware called CoinVault, hits the hijacked PC and gives the victim the generosity of letting them decrypt one file for free before demanding payment for the rest in BitCoins. Like a drug dealer or bank robber, the new malware, called CoinVault, gives the paying party a “taste” of the liberated goods, then demands full payment for the rest. The ransom increases the longer the victim does not pay.
Bait to attract money
CoinVault is similar to other ransomwares that we have seen before. The only difference being that this ransomware is letting you decrypt one of the “hostage” files to show you that the decryption works and to show the ‘noble’ intents of hijackers. Once it infects a Windows PC, CoinVault displays a message telling victims that “Your personal documents and files on this computer have just been encrypted.” It demands payment in the online cryptocurrency Bitcoin and gives instructions on how victims can send the money. This is a software which can be removed from your machine just like any other. But once you remove it you are left with no way to recover your lost files. And the ransomware displays this to drive the message home.
Experts always advise users against paying such a ransom. Mainly because there exists no legal framework or any means for that matter to ensure that the attacker will decrypt your files once the payment has been made. Most attackers do decrypt your files generally. But if one decides not to, it becomes an issue as decrypting it yourself might take years. The “one free decrypt” policy is probably a means for the attacker to try and get more people to pay up. The location where the victims are asked to pay is also made dynamic so the chances of the attacker being tracked down is reduced.
Security researchers have analyzed the malware, Its made on the .Net framework. An interesting bit of news is that this ransom ware is also checking for network analyzers like Wireshark, probably to protect themselves. Kaspersky detects this family as ‘Trojan-Ransom.Win32.Crypmodadv.cj’. We have already seen similar malicious applications in the past (regarding functionality) such as ‘TorrentLocker’, and some PowerShell ransomware, but the amount of effort invested in this one in order to protect the code shows that cybercriminals are leveraging already developed libraries and functionality in order to avoid reinventing the wheel.
To protect against such ransom ware, it is advised to :
- Always make a backup of all your critical files and save them either to an external hard drive or to the cloud.
- Save several versions to prevent the chance of the backup also being encrypted.
- If you ever get infected with ransomware, you can merely delete the malware and restore your old files.
- You should also make sure all your software is up-to-date and patched, as ransomware almost always exploits known software vulnerabilities.
- Be sure to install and run a robust antivirus solution, which will catch most or all forms of criminal-controlled malware.
Resource : Secure List.