CoinVault ransomware decryption keys released

A repository of CointVault ransomware decryption keys obtained by the Dutch police from a seized server have been shared online by security company Kaspersky.

Kaspersky Lab has released a repository of CoinVault ransomware decryption keys unearthed by the National High Tech Crime Unit (NHTCU) of the Netherlands police.

The Russian internet security software company announced on Monday that it had released the decryption keys for free, after the NHTCU and the Netherlands National Prosecutors Office obtained a database from a CoinVault command-and-control server.

According to Kaspersky, the server contained initialisation vectors, keys, and private bitcoin wallets, with the information helping Kaspersky Lab and the NHTCU to create the repository of decryption keys now being offered to the public.

CoinVault malware encrypts data on an infected computer's hard drive, allowing the victim to see a list of encrypted files, and decrypts one file for free in a bid to encourage victims to cough up a payment in return for an encryption key.

coin-vault.png
Image: Kaspersky Lab screenshot by Leon Spencer/ZDNet

Kaspersky said the ransomware has infected more than 1,000 Windows-based computer systems in over 20 countries, with the majority of the victims in the Netherlands, Germany, the United States, France, and the United Kingdom.

Victims have also been registered in several other countries, including Australia, New Zealand, United Arab Emirates, China, Indonesia, Thailand, South Africa, Panama, the Dominican Republic, and Mexico.

Kaspersky Lab global research and analysis team security researcher Jornt van der Wiel said that although the company has been able to include a large number of CoinVault decryption keys in its free online decryption tool, more will be added to the collection as they continue to be unearthed by the NHTCU.

"We have uploaded a huge number of keys onto the site. If we do not currently have records for a particular bitcoin wallet, you can check again in the near future, because together with the National High Tech Crime Unit of the Netherlands police, we are continuously updating the information," said van der Wiel.

Kaspersky's release of the decryption keys provided by the NHTCU came just hours after Interpol announced that servers in the Netherlands had been seized in a global crackdown on the Simda botnet, which was carried out with the help of Kaspersky, the NHTCU, and other law-enforcement agencies, and security software vendors around the world.

The global operation, coordinated by Interpol's Global Complex for Innovation in Singapore, took place on April 9 and resulted in the seizure of 10 command-and-control servers in the Netherlands. It also saw servers in the United States, Russia, Luxembourg, and Poland taken down.