CoinVault and Bitcryptor, R.I.P.

Kaspersky and Dutch police have shut down these two strains of ransomware in a joint effort, arresting the authors and seizing the decryption keys.

Kaspersky can now de-crypt all files that may have been affected by the two ransomwares
Kaspersky can now de-crypt all files that may have been affected by the two ransomwares

The bell has tolled for CoinVault and Bitcryptor ransomware according to international cyber-security giant Kaspersky. The final blow was dealt just recently in a joint effort between Dutch law enforcement authorities and Kaspersky.

This particular kind of malware was first spotted by Kaspersky in late 2014. In April, Dutch police seized a CoinVault server after which the campaign took a bit of a holiday before coming back with Bitcryptor, a new and improved version.

This two-stroke body blow to the pervasive set of ransomwares hit in two forms: first, both their authors were arrested in one fell swoop by the Dutch authorities in mid-September, and second, Kaspersky has released all 14,000 of the ransomwares' decryption keys, allowing those affected to easily un-ransom themselves. 

In April, Kaspersky built a tool allowing hapless victims of the two strains to decrypt the data that the malware had locked away from them – these decryption keys allowed them to complete that tool.

Ransomware is a particularly pernicious form of malware which tends to infect computers, encrypt that computer's data and then charge the unfortunate user to get it back, with ransoms often priced in Bitcoins. It commonly spreads itself via malicious links, malvertising campaigns and classic phishing emails.  

First emerging in 1989, ransomware has made a grand nuisance of itself ever since with strains like CoinVault and Bitcryptor, extorting money out of witless victims. Bitcryptor is the successor to CoinVault, the former being developed as a more sophisticated, less crackable form of the latter, which hampers the infected system's ability to respond to infection.

That said, it's been a bad couple of months for the purveyors of ransomware. The Cyber-Threat Alliance, a group which encourages information sharing as a way to beat cyber-crime, recently released its own revealing report on the particularly notorious CryptoWall, which stole $325 million from its victims over its lifetime of slightly more than a year.

That said, similar announcements have been made about legendary malware strains, only for it to be revealed later that the strain in questions was far from dead. Dridex is just such a strain. Though announced to be on its last legs earlier this year, it was widely rediscovered only a few months later. 

SCMagazineUK.com spoke to Kaspersky's Jornt van der Wiel, a security researcher on the global risk and analysis team, about this. 

“We are absolutely confident that the CoinVault and Bitcryptor ransomware campaign has come to an end as the whole cyber gang involved was arrested, all code used was acquired and all 14,031 decryption keys were attained.” said van der Wiel. But, he added, “It is possible that the cyber-criminals could have sold the source code and the buyer hasn't used it yet, however it is unlikely they would use this code in its current form.”

Greg Day, CSO for the EMEA region at Palo Alto Network also spoke to SC. "it's always great to se criminal groups being identified and prosecuted, the reality is however that attackers have been collaborating well for a long time, yet the security industry and affected companies/individuals are only really starting to work togeether in the last couple of years." Day said. He added that "As such, much like Dridex I would have to anticipate that someone or some group will leverage the code previously generated by those arrested and new encryption keys will be produced.  It is key that we (the industry) continue to collaborate together, so we are able to quickly identify and shutdown each new iteration of malware."

Sign up to our newsletters