View All R&D Articles

CoinVault Ransomware Infection And Decryption Services

October 4, 2016

CoinVault ransomware started infecting computers in November 2014, and remains a persistent threat to all versions of Windows. It is categorized as crypto-ransomware, which is a type of malware that encrypts an infected computer’s files and then demands a ransom in exchange for the decryption key. Without the key, the files are completely inaccessible to the victim.

If CoinVault has infected your computer, turn it off, disconnect any media from it, and call at 1-800-237-4200. Our security specialists will assess your situation and begin planning how to recover your files.

What is CoinVault Ransomware (And How Does It Work)?

When criminals use encryption, they can hold a victim’s files hostage on their own computer until they pay a ransom. If CoinVault has run its course, encryption prevents access to the original data, and decryption using the appropriate key is required to restore files to their original usable state. Even when the ransom is paid, there is no guarantee that the attackers will send the key and assist in decryption.

After CoinVault encrypts a victim’s files, a message appears on the victim’s computer screen that explains what the attackers have done. There is a timer counting down from 24 hours, and when the timer runs out, the ransom goes up. The attackers use this tactic to pressure the victim into quickly paying the ransom. By contacting malware recovery experts, however, victims can restore files safely, often without substantial expenses.

Notable Features of CoinVault Ransomware Include:

  • The starting ransom is 0.7 bitcoins, which is currently about $425, but the amount increases every 24 hours. Bitcoin is a digital currency that cybercriminals prefer because it is difficult to trace to a person.
  • Like many crypto-ransomware attacks, the perpetrators behind CoinVault will decrypt one file for free to prove that they have the ability to do so.
  • CoinVault spreads through a ZIP attachment that the attackers disguise as a pdf having to do with business communications.
  • It does not delete shadow copies, which gives victims a better chance at restoring files.
  • CoinVault copies the victim’s files and encrypts the copies. It then deletes the originals without encrypting them, which provides another possible route for recovering lost files.

CoinVault can encrypt the following file extensions:

.3fr, .accdb, .ai, .arw, .bay, .bmp, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .exif, .gif, .indd, .jfif, .jpeg, .jpg, .kdc, .mdb, .mdf, .mef, .mp3, .mrw, .nef, .nrw, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .sr2, .srf, .srw, .txt, .wb2, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx

The above list is not necessarily comprehensive, but simply the known file extensions that CoinVault encrypts.

How Does CoinVault Ransomware Infect My System?

The CoinVault executable file hides in a fake pdf email attachment. If an unsuspecting person clicks on the supposed pdf, the ransomware starts to infect the computer. CoinVault then begins creating copies of the victim’s files, encrypting them, and deleting the originals. This leaves the victim unable to open any files, but it allows the possible recovery of the deleted originals using recovery software.

Can I Disable or Remove CoinVault Ransomware Encryption?

A joint operation by security experts and law enforcement discovered some of the CoinVault private encryption keys, but some victims will have to rely on backup recovery. Fortunately, we do not anticipate many new CoinVault cases, and we can typically recover all encrypted files without issue.

Contacting ransomware recovery experts as soon as possible gives victims the best chance at restoring their encrypted files. The specialists at have experience at removing malware and recovering seemingly lost files. Call 1-800-237-4200 to start the process of restoring your files.