Ransom:MSIL/Vaultlock.A is a .NET-based threat that can be downloaded on your computer by other malware. Ransom:MSIL/Vaultlock.A is installed as coinvault.exe and upon installation modifies the registries so it would be launched at every system start.
The threat is also detected as:Trojan horse MSIL5.BSQB (AVG), MSIL/Filecoder.K trojan (ESET), RDN/Ransom!em (McAfee), Trojan-Ransom.Win32.Crypmodadv.cz(Kaspersky), TROJ_KRYPTO.SMAZ (Trend Micro), Trojan.SuspectCRC (Ikarus), TR/Dropper.MSIL.98504 (Avira), W32/KRYPTO.SMAZ!tr (Fortinet), W32/Trojan.JDPZ-8148 (Command), Trojan.DownLoader11.45706 (Dr.Web), Troj/dnRan-B (Sophos)
As a typical ransomware, Ransom:MSIL/Vaultlock.A encrypts the files on the compromised computer and demands payment for the decryption key. The files locked by threat include:
→.jpeg, .odp, .txt, .pptx, .3ds, .3fr, .dng, .ods, .psd, .accdb, .kdc, .wb2, .ai, .docm, .mbd, .bay, .dwg, .mef, .p7b, p7c, pdd, .pdf, .xls, .xlk, .tc, .pptm, .odm, .jfif, . dcr, .srw, .dbf, .iso, .cr2, .cer, .erf, .mrw, .xlsm, .xlsx, cdr, .bmp, .dxf, .mov, .c4d, .arw
and other files that may be in folders with strings “backup”and “pictures”.
Ransom:MSIL/Vaultlock.A does not encrypt files in directories with the following substrings:
→all users, appdata, boot, downloads, windows, temp, winnt, program files, programdata, default user folder, default desktop folder, recycle.bin
As soon as the threat encrypts the files, it displays a ransom message with detailed instructions about the demanded payment and a countdown. The later the victim pays the require fee, the higher the sum becomes.
Ransom:MSIL/Vaultlock.A provides a full list of the encrypted files in %TEMP%\CoinVaultFileList.txt.
Reportedly, the desktop image also gets changed. The image file is saved in %temp%\wallpaper.jpg.
Microsoft experts report that Ransom:MSIL/Vaultlock.A blocks processes with the substrings:
After stopping these processes, Ransom:MSIL/Vaultlock.A deletes the backup files.
Ransom:MSIL/Vaultlock.A is known to connect to remote servers (www.cwears.nl
and salzlandfussball.de) and send data about the affected computer, such as Baseboard, BIOS, and Processor.
The Microsoft team adds that the threat creates the following entries in the Registry:
- Sets value: “Vault”
With data: “”
“” — where it first ran
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Sets value: “*VaultBackup”
With data: “”
“” — where it first ran
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
How Is Ransom:MSIL/Vaultlock.A Distributed?
The most common ways for ransomware distribution are spam email attachments, malicious torrents, and freeware downloads. Users are advised to be extra careful as they download free software online and never open emails or download attached files from unknown senders.
Other infiltration method used by Ransom:MSIL/Vaultlock.A is via a Trojan horse.
How to Remove Ransom:MSIL/Vaultlock.A and Restore the Encrypted Files?
Experts advise against the payment of the required fee because there is no guarantee that the victims will receive their files back. The safest way to protect your PC against ransomware attacks is by performing regular backups of your important files.
Users are advised to install a powerful AV tool in Safe Mode and then try removing the threat from the affected computer. Unfortunately, the files can only be restored from a backup.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter