From Webroot comes a report of a new piece of ransomware called CoinVault. CoinVault works much in the same way as previous iterations of ransomware such as CryptoLocker by encrypting the user's files and then demanding that the user pay a ransom with bitcoin if they wish to reclaim the files. Where CoinVault differs to other ransomware is that it offers the user the choice to decrypt one file for free. The CoinVault ransom states:
Your personal documents and files on this computer have just been encrypted. The original files have been deleted and will only be recovered by following the steps described below. Click on "View encrypted files" to see a list of files that got encrypted.
The encryption was done with a unique generated encryption key (using AES-256). This means the encrypted files are of no use until they get decrypted using a key stored on a server.
This server will only release this key if the amount of Bitcoins (displayed left of this windows) is send to the Bitcoin address underneath this windows.
Each time the time hits zero, the total costs will raise with the start price.
After the purcase is made, please wait a few minutes for confirmation of the bitcoins. You can check whether the Bitcoins are confirmed with the 'check payment and receive keys' button. After payment and confirmation, your keys will appear in the textboxes. After that, you simply click 'decrypt using keys'. Your files will be decrypted and restored to their original location.
You can decrypt one file for free, using the 'One free decrypt' button.
You can easily delete this software, but know that without it, you will never be able to get your original files back.
For more information on how to buy and send bitcoin, click 'How to pay'.
The Webroot article displays a screenshot in which the address 1LN8carm8kZqaE2gY25UooA3zcSC7N7DtQ is displayed. The address does not contain a balance which might suggest that CoinVault generates a new one for each infection.
Recently had to walk a lady through how to use Bitcoin in order to pay this ransom. They owned a business and had all of their files locked down making them unable to operate. It was quite a hassle but they eventually bought $600 (extra $100 just in case price fluctuation) to unlock their files.
It was hilarious because they hired a "computer technician" to come in and help, and he didn't even know what Bitcoin was.
It's interesting how many people keep getting hit with this stuff now, and yet caution is… lacking.
I don't even run a malware scanner or any of that nonsense on my Windows computer and have yet to get hit by it despite my paranoia that it will happen.
Using the basic rule of "don't browse shady shit and use adblock" (and I don't even use that) seems to work.
It would be interesting to see the source of each of the infectious payloads (email, website, torrents etc.), and the corresponding percentages.
My first guess (without any research) would be that email is the primary vector.
Well, you also have to remember that a lot of Windows malware is "silent" and forms the backbone of botnets among other things.