CoinVault is part of the CryptoGraphic Locker ransomware family and targets Windows OS. It spreads via spam emails containing infected .zip file attachments disguised as PDF files. Files encrypted by CoinVault gain a .clf extension. It allows victims to decrypt one file for free as the decryption function is included in the executable file. Victims impacted can find a list of encrypted files labeled “CoinvaultFileList.txt” in their infected system’s temp folder.