Step 1: Are you infected with CoinVault?<\/h3>\n
First, make sure your files are stolen by CoinVault and not by another ransomware. It\u2019s fairly easy to determine: If you are infected with CoinVault, you will see an image like below:<\/p>\n
In the bottom right of CoinVault you will see the Bitcoin wallet address (it\u2019s marked with a black circle\u00a0on the image above). It\u2019s very important for you to copy and save this address!<\/p>\n In the top left corner of the malware window you will see a \u2018View encrypted filelist\u2019 button (it\u2019s marked with blue circle\u00a0on the image above). Click this button and save the output to a file.<\/p>\n Go to https:\/\/kas.pr\/kismd-cvault<\/a> and download the trial version of Kaspersky Internet Security. Install it and it will remove CoinVault from your system. Be sure to save all information retrieved in steps 2 and 3.<\/p>\n At https:\/\/noransom.kaspersky.com<\/a> you should enter the Bitcoin wallet address from step 2. If your Bitcoin wallet address is known, the IV and Key will appear on the screen. Please note that multiple keys and IVs may appear. In this case save all the keys and IVs to your computer, you will need them later.<\/p>\n Download the decryption tool at https:\/\/noransom.kaspersky.com<\/a> and run it on your computer. If you get an error message, as shown below, go to step 7. If not, skip step 7 and proceed to step 8.<\/p>\n Go to http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=40779<\/a> and follow the instructions on the website. Then install the software.<\/p>\n Start the tool and you will see a screen like\u00a0below:<\/p>\n When running the tool for the first time, we strongly advise you to do a test decryption. Do the following:<\/p>\n Verify whether the newly created file is properly decrypted.<\/p>\n If everything was okay in step 9, then you can recover all your files at once. To do that select the file list from step 3, enter IV and key and click start. You can select \u201cOverwrite encrypted file with decrypted contents\u201d if you want.<\/p>\n Recover your files stolen by #CoinVault #ransomware. Free of charge<\/p>Tweet<\/a><\/blockquote>\n If you received multiple IVs and keys when you entered your Bitcoin wallet address, please be very careful. At the moment we are not 100% sure where the multiple IVs and keys for one Bitcoin wallet come from. In this case, we strongly recommend leaving the \u201cOverwrite encrypted file with decrypted contents\u201d box unticked. If something goes wrong with the decryption you can try another IV+key pair until the file is successfully decrypted.<\/p>\n![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/04\/06040912\/convault-decryption-1.jpg\")
<\/a><\/p>\nStep 2: Get the Bitcoin wallet address<\/h3>\n
Step 3: Get the encrypted file list<\/h3>\n
Step 4: Remove CoinVault<\/h3>\n
Step 5: Check https:\/\/noransom.kaspersky.com<\/a><\/h3>\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/04\/06040910\/coinvault-decryption-2.jpg\")
<\/a><\/p>\nStep 6: Download the decryption tool<\/h3>\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/04\/06040914\/coinvault-decryption-3.jpg\")
<\/a><\/p>\nStep 7: Download and install additional libraries<\/h3>\n
Step 8: Start the decryption tool<\/h3>\n
![\"How](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/102\/2015\/04\/06040915\/coinvault-decryption-4.jpg\")
<\/a><\/p>\nStep 9: Test if\u00a0the decryption works properly<\/h3>\n
\n
Step 10: Decrypt all files stolen by CoinVault<\/h3>\n