grandeduc - Fotolia

CoinVault, Bitcryptor ransomware declared dead following arrests

CoinVault and Bitcryptor variants of ransomware have been declared dead after the authors were arrested and decryption keys were recovered by law enforcement.

Following the arrests of the alleged authors of the CoinVault and Bitcryptor ransomware, as well as the recovery of the decryption keys, Kaspersky Lab called the ransomware variants dead.

Law enforcement in Amersfoort, Netherlands arrested the alleged authors of the ransomware on Sept. 14. Kaspersky reportedly assisted in the investigation and has released the decryption keys as part of its Ransomware Decryptor to help victims get back hostage data.

Jornt van der Wiel, security researcher for the global research and analysis team at Moscow-based Kaspersky Lab, said in a statement this means "the CoinVault story is ending."

"The remaining victims can retrieve their files and the cybercriminals have been caught, thanks to collaboration between the Dutch police, Kaspersky Lab and Panda Security," van der Wiel said. "The CoinVault investigation has been unique in that we have been able to retrieve all the keys. Through sheer hard work, we were able to disrupt the entire business model of the cybercriminal group."

According to Adam Kujawa, head of malware intelligence at Malwarebytes Labs in San Jose, Calif., Kaspersky's tool uses the encryption algorithm and block cipher to quickly decrypt user data, but warned that this isn't a cure-all for ransomware in general.

"It's like they found a bit book of passwords and when users install their decryption tool, they just run through all the passwords and see which one actually decrypts the files," Kujawa said. "It only works for current infections of CoinVault and won't work with any other family of crypto-ransomware unless the same thing happens, where law enforcement gets their hands on the keys."

Vann Abernathy, product manager at NSFOCUS Inc., based in Santa Clara, Calif., said the release of this data and the arrests of the authors make it unlikely that CoinVault and its successor, Bitcryptor, will return.

"It doesn't mean that some other threat actor will not use the same methodology (but with better encryption) down the road," Abernathy warned. "Security is a cat and mouse game -- engineers build something, bad guys figure out how to break into it, we think of a way to stop them, then they take another approach."

Kujawa agreed that other threat actors will learn from the mistakes made by the CoinVault and Bitcryptor ransomware authors, and the techniques used to stop these ransomware variants are hard to replicate.

"The lucky break in this case was that law enforcement was able to obtain the missing information needed to decrypt CoinVault-infected systems only, including encryption keys," Kujawa said. "The same would need to happen for any other [ransomware] family. Unfortunately, this isn't an easy feat to accomplish."

It was recently estimated that the CryptoWall 3.0 ransomware has cost victims $325 million, and experts warned that it is better to take precautionary measures to prevent ransomware infections than to hope that law enforcement captures decryption keys.

Experts said that antimalware technologies can help prevent ransomware attacks, but short of paying the ransom -- which few advise -- the best mitigation to ransomware risk is to make daily backups of data.

Next Steps

Learn if paying the ransom is the only way to remove ransomware.

Check out the history of ransomware and computer blackmail viruses.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal