Kaspersky Defeats Bitcoin Ransomware

CoinVault, a ransomware virus that has been infecting Windows computers for over a year, encrypts your data and blocks access to your computer’s operating system. The virus is usually installed through zero day exploits and website vulnerabilities, or when users download a malicious file or email attachment – although almost any executable file or javascript code could infect computers.

“Today the great majority of malware is created with the aim of enrichment. One of the tactics often used by evildoers is to encrypt files and demand a ransom for their decryption. Kaspersky Lab classes such programs as Trojan-Ransom malware, although there is another widely used and resonant name – encrypters.”
— – Kaspersky

Unlike other types of encrypter, CoinVault lets victims see a list of all the files that have been encrypted, and allows one file to be decrypted for free – to prove it’s functionality. Victims must pay a ransom to gain access to the remaining files, in bitcoin. The software is not targeted at bitcoin users, and reports of small businesses, soccer moms, and police departments have recently arisen. All the victims admit to paying the ransom, in bitcoin, for their files to be decrypted.

Kaspersky, one of the industry leaders in cyber security and prevention, teamed up with The National High tech Crime Unit (NHTCU) of the Dutch Police Force to create ‘NoRansomwear’ – a tool to decrypt and save files that have fallen victim to the CoinValut encrypters.

“At Kaspersky Lab we think that one of the best ways to fight cybercrime is by joining forces with various parties. These include Law Enforcement Agencies (LEAs) from different countries.”
— – Jornt Van der Wiel, Security Researcher of Global Research, Analysis Team of Kaspersky Labs

On April 13th, 2015, The NHTCU announced it had gained access to the CoinVault command-and-control server. In an interview with BNC Van der Wiel explained, “We did some malware analysis that revealed additional command and control servers (the servers that the malware communicates with). Based on this information the NHTCU was able to obtain more servers. These servers contain databases with lots of information.”

Following a thorough investigation of the servers a large private database of information was discovered, “In this particular case we obtained the Initialization Vectors (IVs), the cryptographic keys, and the bitcoin wallet. This is enough information for a victim to find his or her key and IV. “ explains Van der Wiel. The NoRansomWear decryptor uses data from the command-and-control servers to decrypt all affected files.

“In general we research many cyberthreats. These include advanced persistent threats, but also crimeware such as Ransomware.”
— – Van der Wiel

When Kaspersky analyses ransomware they look for implementation mistakes. This leads to a variety of free decryption tools for different malware campaigns that can be found here. Kaspersky also publish a range of blog posts on SecureList, about various ransomware families.

SecureList provides step by step examples of how Kaspersky tackles ever evolving cyberthreats. Artem Semenchenko of Kaspersky explains, “Serious antivirus companies devote special attention to protection against encrypters. To counter the improved systems of defence virus writers need to change their programs regularly. And they change almost everything: the encryption schemes, means of obfuscation and even the formats of executable files.”

Kasperskys decryption tool will only work with the version of CoinValut that they obtained decryption keys for. Wiel went on to tell BNC that if a newer version of malware is released, and they were able to obtain another database with keys and IV’s, the decryption software would be updated.

“For this particular case we have to see how it will evolve. If new samples and new infections show up, and the LEAs are willing to continue the joint operation, then we will definitely continue.“
— – Van der Wiel

Users that are affected by the virus now have a solution to saving their files, without contributing to a criminal organization. Although it currently only works for the current version of CoinValut, this is a step in the right direction for battling ransomware. Kaspersky are the first cyber security firm to effectively tackle this encrypter example.