Security specialist Kaspersky has announced the discovery of a cache of encryption keys used by the CoinVault ransomware, allowing a subset of victims the chance to recover their data without coughing up cash.
Ransomware is a new and troubling variant of malicious software, or malware, which has a very direct impact on its victims. When infected, typically through unpatched vulnerabilities in browsers, the ransomware gets to work encrypting files on the system using a high-strength cipher. When the encryption is complete, the key is uploaded to a remote server and deleted from the system - leaving the victim with little choice but to restore from backup, kiss goodbye to their files, or pay a ransom to retrieve the encryption key and decrypt the files.
The cryptography used by most ransomware packages is extremely secure, meaning there's little hope of recovering files through a brute-force attack on the encryption itself. Sometimes, however, the ne'er-do-wells behind the attack leave themselves open, storing their cache of keys on a server which itself is vulnerable to attack or which is found and confiscated by law enforcement officials. The result: if you're one of the lucky ones, you might be able to get a key for free.
Kaspersky has, working with the National High-Tech Crime Unit of the Netherlands' police, discovered just such a cache. Captured during a joint investigation, the key database relates to the previously-unbroken CoinVault ransomware, which demands a continuously-increasing ransom of Bitcoins to unlock the targeted files.
Those who have fallen victim to CoinVault need simply copy the unique Bitcoin address displayed in the pop-up dialogue and paste it into the decryption site
, which searches the database for a matching key. If a key is found, it is provided to the user free of charge alongside a decryption tool and a free download of Kaspersky's anti-virus software in order to clean the CoinVault infection from the system.
Kaspersky has indicated that the investigation into the CoinVault campaign is ongoing, and that additional keys will be added to the database as they are captured.