Kaspersky Labs has released CoinVault Decryptor, a free tool which may help victims of the CoinVault ransomware to decrypt their files.
The program works by using a set of decryption keys recovered by the Danish police. Unfortunately it isn’t a full set, and so the Decryptor won’t work for everyone.
To try the process you’ll need the Bitcoin wallet address where the malware was requesting payment, and ideally the list of encrypted files. Both are available from CoinVault’s initial alert screen.
Enter the malware’s Bitcoin address at noransom.kaspersky.com, and if your decryption keys are on the list then one or more key/ IV pairs will be displayed.
If you have a single key/ IV pair then the decryption process is relatively simple: point the app at your file list, enter the IV and key, click Start and wait.
If there are multiple keys/ IVs then Kaspersky recommends being careful, as it’s not yet clear which one – if any – is correct. Essentially you’ll need to try each pair in turn until you find one that works, then repeat the process for your other files.