Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, November 12, 2014

How to Remove CoinVault Virus and Restore Encrypted Files

Tell your friends:
CoinVault is an encryption virus (ransomware) that encrypts your files and then requires a 0.7 bitcoin ransom (sometimes even more) in order to get your private decryption key and IV. It's similar to the CryptoWall 2.0 ransomware but this variant is less sophisticated. However, it doesn't mean that this virus is less dangerous. Once installed, it will encrypt most of your files just like any other ransomware out there. Cyber crooks allow you to decrypt one file for free but since it leaves certain information of the encrypted files on your computer there's a good chance you will get at least some of them without paying the ransom. To learn more, please follow the steps in the removal guide below.

You may ask, where did this CoinVault virus come from? It's usually installed by other malware, mostly Trojan horses. You may well remember the ancient Greek myth about the giant wooden Trojan horse which was created by the Greeks in order to infiltrate the City of Troy. You may also be wondering why this article about malware is opening with such an old story. That's because the Trojan horse of yesteryear and its modern day equivalent have a lot more in common than you may think.

This type of malicious software, the Trojan Horse, did indeed take its name from the tale and once you know just how Trojan Horse malware works, it will all make perfect sense! If you still remember your history or classics lessons then you'll know that the siege of Troy lasted for many years, resulting in a stalemate which drove the Greeks to take desperate measures. After building their wooden horse they rolled it to the city gates and claimed it was a peace offering to the Trojan people. However, unbeknown to the (un)lucky recipients, the Greek army was actually hiding inside the horse and as soon as it was taken beyond the city gates and night fell, the Greek soldiers climbed out and opened the gates to their waiting army. And that, in a nutshell, is pretty much how a modern Trojan Horse works: it looks innocent but it has been specifically designed to cause a great deal of harm.

As did their ancient namesake, today's Trojans make use of their victims' susceptibility to play a role in the attack. And a lot like the horse of yore, Trojan Horses in 2014 are designed to wreak havoc on their target. CoinVault ransom Trojan will cause irreparable damage to your files, corrupt your data and can leave your computer's security in tatters. Unlike other forms of malware they do not steal data or assume your identity or try to steal money from you, they really have just been created on the whim of some spiteful software developer. The bad news is that you won't even notice when this virus will start encrypting your files unless you are constantly monitoring your CPU usage, etc. When it has finished encrypting your files it will then display a ransom screen that explains how you can pay a ransom to get your files back.

Your personal documents and files on this computer have just been encrypted.
The original files have been deleted and will only be recovered by following the steps described below.
Click on "View encrypted files" to see a list of files that got encrypted.

The encryption was done with a unique generated encryption key (using AES-256).
This means the encrypted files are of no use until they get decrypted using a key stored on a server.

This server will only release the key if the amount of Bitcoins (displayed left of this window)
is send to the Bitcoin address shown underneath this window.

Each time the timer hits zero, the total costs will raise with the starting price.

After the purchase is made, please wait a few minutes for confirmation of the Bitcoins.
You can check whether the Bitcoins are confirmed with the 'check payment and receive keys' button.
After payment and confirmation, your keys will appear in the textboxes.
After that, you simply click 'decrypt using keys'.
Your files will be decrypted and restored to their original location.

You can decrypt one file for free, using the 'One free decrypt' button.

You can easily delete this software, but know that without it, you will never be able to get your original files back.

For more information on how to buy and send Bitcoins, click 'How to pay'.

Need help or support?
mail: (primary e-mail address)
backup mail: (in case primary e-mail doesn't work)

Each encrypted file is stored in CoinVaultFileList.txt file. Each user will be assigned a different bitcoin address to make it harder to monitor payments for CoinVault. Other ransom Trojans use TOR or similar web services to collect the payments. This virus acts as the decrypter and payment system thus eliminating any other services that could be used by authorities to track cyber crooks down. So, as I said, even though it's not the most sophisticated ransomware I've ever seen it's still a very dangerous infection.

When running CoinVault will block pretty much every executable file in order to protect itself from being removed. It means it will probably block your antivirus program as well. If you can't run any malware removal tool on your computer then restart the system in Safe Mode or Safe Mode with Networking and try again. What is more, this virus will change your Windows wallpaper saying "Your files have been encrypted!".

Some Trojans Horses are associated with instant messenger apps – now such a popular way of keeping in touch – as well as file sharing tools, however they are mostly spread via spam email. And it is that is where the scammers need to get creative (just like those ancient Greeks) by convincing you to open an attachment or link in an email or instant message. Once you've done that, you will be attacked from within your own city wall, as it were.

How can I defend myself from attack by CoinVault? Fortunately there are a few things you can do to protect yourself from the chaos caused by this ransom virus. Make sure that you have a good anti-malware program installed on your PC or laptop and keep it up to date, and scan your machine with it manually on a regular basis. Keeping Windows updated too is crucial as this will ensure that you have the latest versions of security patches. Finally, you know it, but are you still guilty of it? Don't download unknown programs and never open emails or attachments from senders you don't recognize. And last, but not least, backup your files! Having backups in place will save you headaches and time, trust me. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing CoinVault and related malware:

Before restoring your files from shadow copies, make sure CoinVault is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by CoinVault virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Before using Shadow Explorer, you can try to decrypt some of your files using RakhniDecryptor.exe and RectorDecryptor.exe from Kaspersky. These tools might help you, but please note that they were not designed decrypt the data encrypted by this ransomware virus. However, you can still try them.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


Anonymous said...

ShadowExplorer only worked on my C-drive, not on my USB-harddrives. Any chance I can get my files back on these drives? Any help would be appreciated!

Admin said...

I'm afraid it won't work on USB drives.

Anonymous said...

i have this on my pc and i have no restore option, the backup on the d drive off drive c is also infected / incrypted so its useless and a system restore does not restore the photos and documents
also tryed shadow explorer and this did not work
the coinvault is gone but files are still incrypted so if someone now have to get thus decrypted let me now???

Anonymous said...

New malware use a .BAT (.
So please press NO for administrative rights.
If you had press no your maby lucky.
If you press yes it ten remove your schadow copy.
all here above was no luck for me.

how it come in?
Adobe flash player Update.

Anonymous said...

I have removed the malware but i can't restore my files (no history), is there another option?

Shawn Simon said...

Has anyone figured out how to restore files without restore option ?

Anonymous said...

I know this is a reply much later than the article was written, but I wanted to let people know that I have succeeded in recovering almost all my files (that I cared about).

The best and easiest way to recover, without being too tech savvy, but still requiring a some technical knowledge, is by running a "deep scan" on the folder/drive you lost files on. In theory this should work on any operating system, but I can only give you my results from losing and recovering on an NTFS partition (running Windows 7x64)

First thing to do when you think you're being attacked is to simply shut everything down. Don't allow the hard drive(s) to read and write anymore.

Unplug your drives and find yourself either another computer that has windows installed, or rebuild windows on another drive using the same system. You won't even require to activate Windows, since the process of recovering the data can be done within the activation period.

Get yourself another hard drive of equal or greater size, or a simple USB storage that should be large enough for your needs. Personally, I only wanted my pictures and home videos and would be rebuilding my Windows machine from scratch after recovery.

Download 'recuva' by primisoft (free) and install it on your new system.

Find yourself a way of plugging in the infected drive, either by plugging it inside this new system, a USB external enclosure or a 'kit' that can allow you to plug in any drive by USB connector.

Use recuva and make sure to run a 'deep scan' on the infected drive. Keep in mind that depending on the amount of data written on the drive, how much data you might have deleted over the last months/years, it can take several hours to complete.

I ran mine on a 1tb WD Green drive with about 400gb 'free' and it took well over 10 hrs to scan using the USB kit method. Your results may vary.

Once you get the 'results', you will see a rather long list of files that can be recovered 100%, not at all, etc.

I found this best practice: do a search for all *.jpg and any file with this 'type' of naming seemed to be the pictures/files that were encrypted:


Those numbers are obviously just a random set of filenames that the virus/malware used to rename your files during the encryption. After the encryption is finished, it "deletes" the file so that we can recover those ones.

I did the same thing with my zip files as well, mp4 files and other formats that were important to me (.doc, etc)

I ended up having most (if not all) of my .doc files stored on google drive, so I wasn't too worried.

I know this guide isn't very "easy" to follow if you're not tech savvy, but find someone who can help you and DON'T PAY THE RANSOM. It's not worth it, as there is always a way to recover things that were deleted.

I have read that some of these trojans might use sdelete instead of your typical "delete" command to remove the files, but this in itself would make the encryption process MUCH longer and you could potentially catch on quick enough, so my luck was that this trojan variant allowed me to recover 99% of what I had lost.

I hope this helps someone in the long run. Keep words: shutdown immediately. Restore from another "clean" machine. Use recuva and store files on a DIFFERENT DRIVE THAN THE INFECTED ONE.