Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Ransom:MSIL/Vaultlock.A from the Affected PC

data-securityRansom:MSIL/Vaultlock.A is a .NET-based threat that can be downloaded on your computer by other malware. Ransom:MSIL/Vaultlock.A is installed as coinvault.exe and upon installation modifies the registries so it would be launched at every system start.

The threat is also detected as:Trojan horse MSIL5.BSQB (AVG), MSIL/Filecoder.K trojan (ESET), RDN/Ransom!em (McAfee), Trojan-Ransom.Win32.Crypmodadv.cz(Kaspersky), TROJ_KRYPTO.SMAZ (Trend Micro), Trojan.SuspectCRC (Ikarus), TR/Dropper.MSIL.98504 (Avira), W32/KRYPTO.SMAZ!tr (Fortinet), W32/Trojan.JDPZ-8148 (Command), Trojan.DownLoader11.45706 (Dr.Web), Troj/dnRan-B (Sophos)

Ransom:MSIL/Vaultlock.A Details

As a typical ransomware, Ransom:MSIL/Vaultlock.A encrypts the files on the compromised computer and demands payment for the decryption key. The files locked by threat include:

→.jpeg, .odp, .txt, .pptx, .3ds, .3fr, .dng, .ods, .psd, .accdb, .kdc, .wb2, .ai, .docm, .mbd, .bay, .dwg, .mef, .p7b, p7c, pdd, .pdf, .xls, .xlk, .tc, .pptm, .odm, .jfif, . dcr, .srw, .dbf, .iso, .cr2, .cer, .erf, .mrw, .xlsm, .xlsx, cdr, .bmp, .dxf, .mov, .c4d, .arw

and other files that may be in folders with strings “backup”and “pictures”.

Ransom:MSIL/Vaultlock.A does not encrypt files in directories with the following substrings:

→all users, appdata, boot, downloads, windows, temp, winnt, program files, programdata, default user folder, default desktop folder, recycle.bin

As soon as the threat encrypts the files, it displays a ransom message with detailed instructions about the demanded payment and a countdown. The later the victim pays the require fee, the higher the sum becomes.

Ransom:MSIL/Vaultlock.A provides a full list of the encrypted files in %TEMP%\CoinVaultFileList.txt.

Reportedly, the desktop image also gets changed. The image file is saved in %temp%\wallpaper.jpg.

Microsoft experts report that Ransom:MSIL/Vaultlock.A blocks processes with the substrings:

  • mbam
  • msconfig
  • processhacker
  • procexp
  • regedit
  • rstrui
  • roguekiller
  • spyhunter
  • shadow
  • taskmgr

After stopping these processes, Ransom:MSIL/Vaultlock.A deletes the backup files.

Ransom:MSIL/Vaultlock.A is known to connect to remote servers (www.cwears.nl
and salzlandfussball.de) and send data about the affected computer, such as Baseboard, BIOS, and Processor.

The Microsoft team adds that the threat creates the following entries in the Registry:

  • Sets value: “Vault”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Sets value: “*VaultBackup”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

How Is Ransom:MSIL/Vaultlock.A Distributed?

The most common ways for ransomware distribution are spam email attachments, malicious torrents, and freeware downloads. Users are advised to be extra careful as they download free software online and never open emails or download attached files from unknown senders.

Other infiltration method used by Ransom:MSIL/Vaultlock.A is via a Trojan horse.

How to Remove Ransom:MSIL/Vaultlock.A and Restore the Encrypted Files?

Experts advise against the payment of the required fee because there is no guarantee that the victims will receive their files back. The safest way to protect your PC against ransomware attacks is by performing regular backups of your important files.

Users are advised to install a powerful AV tool in Safe Mode and then try removing the threat from the affected computer. Unfortunately, the files can only be restored from a backup.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Ransom:MSIL/Vaultlock.A
2. Remove Ransom:MSIL/Vaultlock.A automatically with Spy Hunter Malware - Removal Tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.