Remove Ransom:MSIL/Vaultlock.A from the Affected PC - How to, Technology and PC Security Forum |

Remove Ransom:MSIL/Vaultlock.A from the Affected PC

data-securityRansom:MSIL/Vaultlock.A is a .NET-based threat that can be downloaded on your computer by other malware. Ransom:MSIL/Vaultlock.A is installed as coinvault.exe and upon installation modifies the registries so it would be launched at every system start.

The threat is also detected as:Trojan horse MSIL5.BSQB (AVG), MSIL/Filecoder.K trojan (ESET), RDN/Ransom!em (McAfee),, TROJ_KRYPTO.SMAZ (Trend Micro), Trojan.SuspectCRC (Ikarus), TR/Dropper.MSIL.98504 (Avira), W32/KRYPTO.SMAZ!tr (Fortinet), W32/Trojan.JDPZ-8148 (Command), Trojan.DownLoader11.45706 (Dr.Web), Troj/dnRan-B (Sophos)

Ransom:MSIL/Vaultlock.A Details

As a typical ransomware, Ransom:MSIL/Vaultlock.A encrypts the files on the compromised computer and demands payment for the decryption key. The files locked by threat include:

→.jpeg, .odp, .txt, .pptx, .3ds, .3fr, .dng, .ods, .psd, .accdb, .kdc, .wb2, .ai, .docm, .mbd, .bay, .dwg, .mef, .p7b, p7c, pdd, .pdf, .xls, .xlk, .tc, .pptm, .odm, .jfif, . dcr, .srw, .dbf, .iso, .cr2, .cer, .erf, .mrw, .xlsm, .xlsx, cdr, .bmp, .dxf, .mov, .c4d, .arw

and other files that may be in folders with strings “backup”and “pictures”.

Ransom:MSIL/Vaultlock.A does not encrypt files in directories with the following substrings:

→all users, appdata, boot, downloads, windows, temp, winnt, program files, programdata, default user folder, default desktop folder, recycle.bin

As soon as the threat encrypts the files, it displays a ransom message with detailed instructions about the demanded payment and a countdown. The later the victim pays the require fee, the higher the sum becomes.

Ransom:MSIL/Vaultlock.A provides a full list of the encrypted files in %TEMP%\CoinVaultFileList.txt.

Reportedly, the desktop image also gets changed. The image file is saved in %temp%\wallpaper.jpg.

Microsoft experts report that Ransom:MSIL/Vaultlock.A blocks processes with the substrings:

  • mbam
  • msconfig
  • processhacker
  • procexp
  • regedit
  • rstrui
  • roguekiller
  • spyhunter
  • shadow
  • taskmgr

After stopping these processes, Ransom:MSIL/Vaultlock.A deletes the backup files.

Ransom:MSIL/Vaultlock.A is known to connect to remote servers (
and and send data about the affected computer, such as Baseboard, BIOS, and Processor.

The Microsoft team adds that the threat creates the following entries in the Registry:

  • Sets value: “Vault”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Sets value: “*VaultBackup”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

How Is Ransom:MSIL/Vaultlock.A Distributed?

The most common ways for ransomware distribution are spam email attachments, malicious torrents, and freeware downloads. Users are advised to be extra careful as they download free software online and never open emails or download attached files from unknown senders.

Other infiltration method used by Ransom:MSIL/Vaultlock.A is via a Trojan horse.

How to Remove Ransom:MSIL/Vaultlock.A and Restore the Encrypted Files?

Experts advise against the payment of the required fee because there is no guarantee that the victims will receive their files back. The safest way to protect your PC against ransomware attacks is by performing regular backups of your important files.

Users are advised to install a powerful AV tool in Safe Mode and then try removing the threat from the affected computer. Unfortunately, the files can only be restored from a backup.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Ransom:MSIL/Vaultlock.A
2. Remove Ransom:MSIL/Vaultlock.A automatically with Spy Hunter Malware - Removal Tool.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share