Remove Ransom:MSIL/Vaultlock.A from the Affected PC - How to, Technology and PC Security Forum |

Remove Ransom:MSIL/Vaultlock.A from the Affected PC

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

data-securityRansom:MSIL/Vaultlock.A is a .NET-based threat that can be downloaded on your computer by other malware. Ransom:MSIL/Vaultlock.A is installed as coinvault.exe and upon installation modifies the registries so it would be launched at every system start.

The threat is also detected as:Trojan horse MSIL5.BSQB (AVG), MSIL/Filecoder.K trojan (ESET), RDN/Ransom!em (McAfee),, TROJ_KRYPTO.SMAZ (Trend Micro), Trojan.SuspectCRC (Ikarus), TR/Dropper.MSIL.98504 (Avira), W32/KRYPTO.SMAZ!tr (Fortinet), W32/Trojan.JDPZ-8148 (Command), Trojan.DownLoader11.45706 (Dr.Web), Troj/dnRan-B (Sophos)

Ransom:MSIL/Vaultlock.A Details

As a typical ransomware, Ransom:MSIL/Vaultlock.A encrypts the files on the compromised computer and demands payment for the decryption key. The files locked by threat include:

→.jpeg, .odp, .txt, .pptx, .3ds, .3fr, .dng, .ods, .psd, .accdb, .kdc, .wb2, .ai, .docm, .mbd, .bay, .dwg, .mef, .p7b, p7c, pdd, .pdf, .xls, .xlk, .tc, .pptm, .odm, .jfif, . dcr, .srw, .dbf, .iso, .cr2, .cer, .erf, .mrw, .xlsm, .xlsx, cdr, .bmp, .dxf, .mov, .c4d, .arw

and other files that may be in folders with strings “backup”and “pictures”.

Ransom:MSIL/Vaultlock.A does not encrypt files in directories with the following substrings:

→all users, appdata, boot, downloads, windows, temp, winnt, program files, programdata, default user folder, default desktop folder, recycle.bin

As soon as the threat encrypts the files, it displays a ransom message with detailed instructions about the demanded payment and a countdown. The later the victim pays the require fee, the higher the sum becomes.

Ransom:MSIL/Vaultlock.A provides a full list of the encrypted files in %TEMP%\CoinVaultFileList.txt.

Reportedly, the desktop image also gets changed. The image file is saved in %temp%\wallpaper.jpg.

Microsoft experts report that Ransom:MSIL/Vaultlock.A blocks processes with the substrings:

  • mbam
  • msconfig
  • processhacker
  • procexp
  • regedit
  • rstrui
  • roguekiller
  • spyhunter
  • shadow
  • taskmgr

After stopping these processes, Ransom:MSIL/Vaultlock.A deletes the backup files.

Ransom:MSIL/Vaultlock.A is known to connect to remote servers (
and and send data about the affected computer, such as Baseboard, BIOS, and Processor.

The Microsoft team adds that the threat creates the following entries in the Registry:

  • Sets value: “Vault”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Sets value: “*VaultBackup”
    With data: “”“” — where it first ran
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

How Is Ransom:MSIL/Vaultlock.A Distributed?

The most common ways for ransomware distribution are spam email attachments, malicious torrents, and freeware downloads. Users are advised to be extra careful as they download free software online and never open emails or download attached files from unknown senders.

Other infiltration method used by Ransom:MSIL/Vaultlock.A is via a Trojan horse.

How to Remove Ransom:MSIL/Vaultlock.A and Restore the Encrypted Files?

Experts advise against the payment of the required fee because there is no guarantee that the victims will receive their files back. The safest way to protect your PC against ransomware attacks is by performing regular backups of your important files.

Users are advised to install a powerful AV tool in Safe Mode and then try removing the threat from the affected computer. Unfortunately, the files can only be restored from a backup.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Ransom:MSIL/Vaultlock.A

1. Start Your PC in Safe Mode to Remove Ransom:MSIL/Vaultlock.A.

1. Remove all CDs and DVDs, and then Restart your PC from the “Start” menu.
2. Select one of the two options provided below:

For PCs with a single operating system: Press “F8” repeatedly after the first boot screen shows up during the restart of your computer. In case the Windows logo appears on the screen, you have to repeat the same task again.

For PCs with multiple operating systems: Тhe arrow keys will help you select the operating system you prefer to start in Safe Mode. Press “F8” just as described for a single operating system.

3. As the “Advanced Boot Options” screen appears, select the Safe Mode option you want using the arrow keys. As you make your selection, press “Enter“.
4. Log on to your computer using your administrator account

While your computer is in Safe Mode, the words “Safe Mode” will appear in all four corners of your screen.

2. Remove Ransom:MSIL/Vaultlock.A automatically with Spy Hunter Malware - Removal Tool.

2. Remove Ransom:MSIL/Vaultlock.A automatically with Spy Hunter Malware – Removal Tool.

To clean your computer with the award-winning software Spy Hunter – donload_now_140
It is highly recommended to run a system scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share