CoinVault Ransomware Jumps on Freemium Model

We have continuously monitored crypto-ransomware’s modifications and evolution since its discovery in late 2013. Though crypto-ransomware is still relatively “new” to the threat landscape, it has already established itself as a formidable threat to unsuspecting users. By definition, crypto-ransomware shares similar routines with cryptolocker, a refinement of ransomware with file-encryption capabilities.

We recently came across two variants of crypto-ransomware, each with a routine or feature not found in other variants. The discovery of these two variants proves that crypto-ransomware is still continuing its evolution—all to victimize users.

The Newly Minted Threat, CoinVault

CoinVault, or TROJ_CRYPTCOIN.AK stands out from other variants because it offers users a rare opportunity: the chance to save one encrypted file. The malware enters systems via automatic download from malicious websites or an infected flash drive. Once inside the system, CoinVault is able to gather information, connect to certain websites, and encrypt files.

After encrypting files in an infected system, CoinVault displays a message telling the user that they can select one file to be decrypted, free of charge.

Figure 1. Images displayed by CoinVault in the infected system

Figure 2. (L): TROJ_CRYPTCOIN.AK or CoinVault ransom message,
(R) TROJ_CRITOLOCK.A ransom message

Upon further analysis, TROJ_CRYPTCOIN.AK appears as an update to the “cryptographic locker ransomware” variant TROJ_CRITOLOCK.A seen last September. One noticeable difference is that it uses a different wallpaper and graphical user interface (GUI). Additionally, the cryptographic locker ransomware variant (TROJ_CRITOLOCK.A) uses the advanced encryption standard (AES-128) cryptosystem, while its updated version (TROJ_CRYPTCOIN.AK) uses AES-256. This encryption standard comes with the addition of the freemium model, which makes TROJ_CRYPTCOIN.AK or CoinVault different from previous crypto-ransomware variants.

Upon querying the Trend Micro™ Smart Protection Network™, it appears that the United States came through as the top country affected by this threat.

Contact for More Details

Another ransomware variant (detected as TROJ_CRYPAURA.A, TROJ_CRYPAURA.B, and TROJ_CRYPAURA.C) takes a different approach from CoinVault. Rather putting all the steps for decryption/payment in the ransom message, the malware instructs its victims to contact a specific email address for instructions.

Figure 3. Ransom message instructing users to contact an email address

Figure 4. Instructions given during the exchange via email

Sending a reply to the stated email address will result in getting a full set of instructions. Users are required to upload the encrypted files to a file storage site and send the link to the cybercrooks. Only then will they decrypt the file. The payment? Approximately US$500 via Bitcoins.

Curiously enough, the malware also renames the encrypted files to include the attacker’s email address in the new file names.

Reclaiming Files for Free: Yay or Nay?

Offering a free decryption might seem strange but it actually works as a way to convince users. Decrypting a file shows the victim that their other files can actually be recovered—if they pay the fee. But of course, there are no guarantees that full decryption will be given once the user pays the ransom. More often than not, techniques like these are simple lures for users who are willing to take the bait, and their files will be lost for good.

Even though the cybercriminals packaged CoinVault with this “freebie” offer, it’s still best to take preventive measures against threats that hold your files for ransom. Make it a regular habit to back up your files, both manually and automatically in different locations, be it via external hard drive or through the use of secure cloud-based services. And as a proactive measure, always refrain from clicking unknown sites in suspicious email messages and sources.

The Smart Protection Network™ protects users against CoinVault and CRYPAURA malware by blocking all files and malicious URLs related to this threat.

With additional analysis by Roddell Santos and Rika Gregorio.

The following are the related hashes: