Ransomware a nasty piece of malware is making it around and there is no denying to the fact that it has maintained its reputation of being a formidable threat. With each passing day ransomware threats are rising and there is no sign of them slowing down.
Ransomware is a major threat for not only organizations, but for individuals, hospitals and almost for all the industries. Usually majority of it is spread through user actions such as clicking on malicious link, visiting a compromised website and others.
Today, we are going to discuss about another nasty ransomware. The only thing that makes this ransomware different is, it lets user decrypt one file to prove victim will be able to decrypt all the encrypted all files.
What is CoinVault?
CoinVault a file encrypting ransomware program, part of Cryptographic Locker family. Unlike other ransomware program it does no use a decryption site to make payments and download decryptor. Instead it has an in-built decryption functionality and payment system into the executable malware.
How is it distributed?
CoinVault is spread via emails that contains a PDF file which is an executable file as ZIP attachment. This PDF file pretends to be an invoice, purchase order, bill, complaint or some sort of communication. When victim double clicks on the fake PDF, system is infected by CoinVault and malware gets installed in %AppData%\Microsoft\Windows folder.
How it Works?
Once CoinVault is installed on the machine, it starts scanning the system for data files and then encrypts them using AES encryption so that they cannot be accessed. Once all the files are encrypted CoinVault displays CoinVault program that contains information about the files, ransom amount, and instructions on how the money has to be paid.
The ransom amount varies beginning from 0.7 Bitcoins it goes up as after each 24-hour amount is increased if the victim fails to make the payment. The Bitcoin address is different for each infected machine.
Note: CoinVault allows to decrypt once file for free to prove what it can do.
How are the files decrypted?
When the file to decrypt is selected, CoinVault uploads the file to its Command and Control server, decrypt it and then send it back to the machine from which decryption request is sent.
CoinVault even changes your Windows desktop wallpaper to “Your files have been encrypted!”
What file types are encrypted by CoinVault?
CoinVault looks for specific files on all drives connected to your system to encrypt. This means USB, external drives, network drives and even cloud services are at risk. CoinVault will encrypt the files ending with following extensions:
.odt, .ods, .odp, .odm, .odc, .odb, .doc, .docx, .docm, .wps, .xls, .xlsx, .xlsm, .xlsb, .xlk, .ppt, .pptx, .pptm, .mdb, .accdb, .pst, .dwg, .dxf, .dxg, .wpd, .rtf, .wb2, .mdf, .dbf, .psd, .pdd, .pdf, .eps, .ai, .indd, .cdr, .dng, .3fr, .arw, .srf, .sr2, .mp3, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .raw, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .cer, .crt, .pem, .pfx, .p12, .p7b, .p7c, .jpg, .png, .jfif, .jpeg, .gif,.bmp, .exif, .txt |
What to do when you get to know your system is infected?
When you get to know that your system is been compromised by CoinVault you can do 2 things.
- Pay ransom and let the attackers decrypt your data.
- Restore your files by restoring the backup you have taken.
How to prevent your computer from getting infected by CoinVault?
To prevent your computer from getting infected by CoinVault you need to create Software Restriction Policies, that will block executable files from running when found in a specific path. For this you need to use either Windows Group or Local Policy Editor.
To add restriction rule, follow the steps below:
1. Click the Start button and type Local Security Policy.
2. Now in the new window that opens in the left pane look for Software Restriction Policies.
3. If no policy is defined you need to add a new policy by right clicking on Software Restriction Policies.
4. Now click on New Software Restriction Policies, to enable the policy and the right pane will look as the image below:
5. Now, right click on Additional Rules folder present in the right pane and select New Path Rule. This will let you add a Path Rule.
Must Read : Crypto Mining Is The Next Big Threat After Ransomware
The entries you need to add are as follows:
To block CoinVault executable in %AppData%
Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.
To block CoinVault executable in %LocalAppData%
Path if using Windows XP: %UserProfile%\Local Settings\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from %AppData%.
To block Zbot executable in %AppData%
Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from immediate subfolders of %AppData%.
To block Zbot executable in %LocalAppData%
Path if using Windows Vista/7/8: %LocalAppData%\*\*.exe
Security Level: Disallowed
Description: Don’t allow executables to run from immediate subfolders of %AppData%.
To block executables run from archive attachments opened with WinRAR:
Path if using Windows XP: %UserProfile%\Local Settings\Temp\Rar*\*.exe
Path if using Windows Vista/7/8: %LocalAppData%\Temp\Rar*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinRAR.
To block executables run from archive attachments opened with 7zip:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\7z*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with 7zip.
To block executables run from archive attachments opened with WinZip:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\wz*\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened with WinZip.
Block executables run from archive attachments opened using Windows built-in Zip support:
Path if using Windows Vista/7/8: %LocalAppData%\Temp\*.zip\*.exe
Security Level: Disallowed
Description: Block executables run from archive attachments opened using Windows built-in Zip support.
Note: Using when you add these paths to Software Restriction Policies, some legitimate applications may stop functioning. This happens as some companies unknowingly install their applications under a user’s profile rather than in the Program Files folder. Due to this, the Software Restriction Policies will stop those applications from running.
Therefore, to make such applications run you will need to add a Path Rule using the steps described above to allow the program to run. To do so, you need to create a Path Rule for that particular program’s executable and set the Security Level to Unrestricted instead of Disallowed.
Once you do so, the specified applications will start running.
We hope you find this article informative enough and useful too. If you have any query, please feel to free to contact us. Also, please send your feedback, as it is valuable to us and it helps us to understand what our customers expect from us.