Kaspersky Lab has added an additional 14,031 decryption keys to the repository noransom.kaspersky.com, enabling all users who have fallen victim to CoinVault and Bitcryptor ransomware to retrieve their encrypted data without having to pay a single bitcoin in ransom to criminals.
“Many companies face ransomware attacks and ask themselves: to pay or not to pay? In the security industry, we believe that paying criminals does not make the ransomware problem go away.” said Jornt van der Wiel, Security Researcher at Global Research and Analysis Team, Kaspersky Lab.
“If you pay, you keep the criminal business model rolling. If you don’t, there is no business model for them anymore. Moreover, paying up will not guarantee that your files will be retrieved,” he warned. Kaspersky Lab recently teamed up with the Dutch police in investigating ransomware incidents to create more decryption keys.
Since April 2015, a total of 14,755 keys have been made available for victims so that they can release their files by using the decryption application developed by Kaspersky Lab’s security experts.
The Netherlands’ National Prosecutors Office obtained the decryption keys from the CoinVault command & control servers. In September, the Dutch police arrested two men in the Netherlands on suspicion of involvement in the ransomware attacks.
With these arrests, and the fact that the last portion of keys has now been obtained from the server, the time has come to close the case on the CoinVault attacks.
CoinVault’s cybercriminals tried to infect tens of thousands of computers worldwide, with the majority of victims in the Netherlands, Germany, the USA, France and the UK.
Users from a total of 108 countries were affected. The criminals succeeded in locking at least 1,500 Windows-based machines, demanding bitcoins from users to decrypt their files.
Kaspersky Lab discovered the first version of CoinVault in May 2014, and later contributed a thorough analysis of all the associated malware samples to an investigation run by the National High Tech Crime Unit (NHTCU) of the Netherlands’ police and the Netherlands’ National Prosecutors Office.
During the joint investigation, the NHTCU and the Netherlands’ National Prosecutors Office obtained databases from CoinVault command & control servers.
These servers contained Initialization Vectors (IVs), keys and private bitcoin wallets and helped Kaspersky Lab and the NHTCU to create a special repository of decryption keys: noransom.kaspersky.com.
“The CoinVault investigation has been unique in that we have been able to retrieve all the keys. Through sheer hard work we were able to disrupt the entire business model of the cybercriminal group,” van der Wiel said.
Ransomware in the Philippines
Kaspersky Lab said ransomware is now a very popular way of earning money for cyber criminals. The security company also said the risk of infection is high for both developed and emerging countries like the Philippines.
Early this year, Kaspersky Lab’s principal security researcher Vicente Diaz warned of a possible rise in number of ransomware incidents in the country which has been showing resilient economic growth to date.
“The attackers are looking for new possibilities for making money out of us. Ransomware is now a huge phenomenal business in Europe. Hackers encrypt big company’s important data and ask for payment to decrypt the files. Philippines have not seen a lot of ransomware incidents yet. But with its growing economy, it is possible,” Diaz said.
The security expert also revealed that ransomware ranked 12th among the top detected malwares in the country for 2015.