New Tool Helps Victims Fight Bitcoin Ransomware

Kaspersky Lab has released a new tool to help free computer files 'held hostage' by bitcoin ransomware.

AccessTimeIconApr 14, 2015 at 6:04 p.m. UTC
Updated Feb 21, 2023 at 1:37 p.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

UPDATE (17th April 2015 10:36): Kaspersky Lab has added a further 711 decryption keys to its database.

bitcoin-computer-virus-300x185.jpg
  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Kaspersky Lab has released a new tool to help free computer files 'held hostage' by bitcoin ransomware.

    CoinVault, which has infected around 700 computers in the Netherlands, is a strain of malware that demands a rising amount of bitcoin to unlock files it has encrypted.

    Thanks to Kaspersky's ransomware decrypter, certain victims can now access their files free of charge.

    The tool was created after Dutch authorities shared a database of CoinVault's information (including IVs, keys and bitcoin wallets) with the firm as part of an investigation in the country.

    Jornt van der Wiel, a security researcher at Kaspersky's global research and analysis unit, told CoinDesk that the company hopes to add more decryption keys to its database. He said:

    "We have uploaded a huge number of keys onto the site, and together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information."

    To pay or not to pay

    Though Kaspersky and the Dutch authorities uncovered a sizeable chunk of data, users whose keys are not on the list or those who have been targeted by a different strain of ransomware remain locked out.

    When faced with this dilemma, some victims – including police departments – are choosing to pay up and hope for the best.

    "As there are few ways to get files back without paying, users often just give in. This is the wrong strategy, but it’s often the easiest for the user," Van der Wiel said.

    Additionally, police in the CoinVault investigation argue that payment doesn't always mean you'll get the files back. Rather, this behaviour perpetuates the problem. A translated statement from the department reads:

    "[Paying] motivates the criminals to continue to use this payment method, and furthermore does not always lead to actual release."

    Indeed, a 2014 study from security firm ESNET showed that of the 39,760 people who did pay the ransom of a similar virus, Cryptolocker, only 570 were given access to decryption software after making their payment.

    As files can be retrieved only if tools like Kaspersky's are created, the best choice, Van der Wiel says, is protection. Users should keep their anti-malware suite updated and make a habit of backing up their most important files, he added.

    About CoinVault

    CoinVault first came to the attention of Kaspersky Lab last November. The virus, which has targeted more than 20 countries, usually gains access to victims' machines via phishing emails or links to malicious websites.

    Unlike other strains, including Cryptolocker, CoinVault lets victims decrypt one file 'on the house' – perhaps to alleviate worries that documents will remain locked after a payment has been made.

    After 24 hours the ransom starts to rise. As the bitcoin address CoinVault provides is "dynamic", it is very complex to trace the funds it receives, said Van der Wiel. CoinVault's creators are keen to protect their product too, he added:

    "In terms of functionality we have seen similar malicious applications in the past, including 'TorrentLocker' and some PowerShell ransomware. In fact, the amount of effort invested in protecting CoinVault’s code shows that the cybercriminals are leveraging previously developed libraries and functionality in order to avoid reinventing the wheel."

    Authorities have not made any arrests in connection with CoinVault, but say they still investigating the perpetrator, who is believed to be in the Netherlands.

    Users can find the decryption tool at Kaspersky's website, which also features the company's decryption app and 'how to' guides on the subject.

    Keyboard image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.