Kaspersky Lab has released a new tool to help free computer files ‘held hostage’ by bitcoin ransomware.
CoinVault, which has infected 700 computers in the Netherlands so far, is a strain of malware that demands a rising amount of bitcoin to unlock encrypted files on the victim’s computer.
Thanks to Kaspersky’s ransomeware decrypter, users may now be able to do so for free.
The tool was created after Dutch authorities shared a database of CoinVault’s information (including IVs, keys and bitcoin wallets) with Kaspersky as part of an investigation in the country.
Jornt van der Wiel, a security researcher at Kaspersky’s global research and analysis team, told CoinDesk that the team hopes to add more keys to its database.
“We have uploaded a huge number of keys onto the site, and together with the National High Tech Crime Unit of the Netherlands’ police we are continuously updating the information.”
To pay or not to pay
Though Kaspersky and the Dutch authorities have uncovered a sizeable chunk of data, users whose keys are not on the list, or have been targeted by a different strain of the virus, remain locked out, watching the bounty tick higher.
“As there are few ways to get files back without paying, users often just give in. This is the wrong strategy, but it’s often the easiest for the user,” Van der Wiel said.
Despite recent reports of police departments shunning this advice, a 2014 study from security firm ESNET showed that an overwhelming majority of victims – 98.55% – didn’t pay the ransom of a similar virus, Cryptolocker. Of the 39,760 people who did, only 570 were given access to decryption software after making a payment.
According to the police in the CoinVault investigation, payment doesn’t alway mean you’ll get the files back. Instead, it contributes to the problem. A translated statement from the department reads:
“[Paying] motivates the criminals to continue to use this payment method, and furthermore does not always lead to actual release.”
As files can be retrieved only if tools can be created, the best choice, Van der Wiel says, is protection. Users should keep their anti-malware suite updated and make a habit of backing up their most important files, he added.
CoinVault first came to the attention of Kaspersky last November. The virus, which has targeted more than 20 countries, is usually installed by exploiting a vulnerability on victims’ computers via phishing emails or links to malicious websites.
Unlike other strains, including Cryptolocker, CoinVault lets victims decrypt one file ‘on the house’ – perhaps to alleviate worries that files will remain locked after payment has been made.
A payment is demanded in less than 24 hours or the price continues to rise. The bitcoin address used is dynamic too, making the tracing of the funds a lot more complex than usual.
“In fact, the amount of effort invested in protecting CoinVault’s code shows that the cybercriminals are leveraging previously developed libraries and functionality in order to avoid reinventing the wheel,” said Van der Wiel.
To download the decryption tool users must visit Kaspersky’s website, where they will find the decryption app and how to guide.
Authorities say they are still searching for the suspect, who they believe to be in the Netherlands.
Keyboard image via Shutterstock.