CryptoDefense Ransomware and how Symantec helped it fix its flaw!

CryptoDefense ransomware is dominating discussions these days. Victims falling prey to this variant of Ransomware have been turning to different forums in large numbers, seeking support from experts. Considered as a type of ransomware, the program apes the behavior of CryptoLocker, but cannot be considered as complete derivative of it, for the code it runs is completely different. Moreover, the damage it causes is potentially vast.

CryptoDefense Ransomware

CryptoDefense Ransomware

The origin of the Internet miscreant can be traced from the furious competition held between cyber-gangs late February 2014. It led to the development of a potentially harmful variant of this ransomware program, capable of scrambling a person’s files and forcing them to make a payment for recovering the files.

CryptoDefense, as it is known, targets text, picture, video, PDF and MS Office files. When an end-user opens the infected attachment, the program begins encrypting its target files with a strong RSA-2048 key which is hard to undo. Once the files are encrypted, the malware puts forth a ransom-demand files in every folder containing encrypted files.

Upon opening the files, victim finds a CAPTCHA page. If the files are too important for him and he wants them back, he accepts the compromise. Proceeding further, he has to fill out the CAPTCHA correctly and the data is sent to the payment page. The price of the ransom is predetermined, doubled if the victim fails to comply with the developer’s instructions within a defined time period of four days.

The private key needed to decrypt the content is available with the developer of the malware and is sent back to the attacker’s server only when the desired amount is delivered in full as ransom. The attackers appear to have created a “hidden” website to receive payments. After the remote server confirms the recipient of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location. CryptoDefense allows you to pay the ransom by sending Bitcoins to an address shown in the malware’s Decrypt Service page.

Although the entire scheme of things appears to be well worked out, CryptoDefense ransomware when it first appeared did have a few bugs. It left the key right on the victim’s computer itself! 😀

This, of course, requires technical skills, that an average user might not possess, to figure out the key. The flaw was first noticed by Fabian Wosar of Emsisoft and led to the creation of a Decrypter tool that could potentially retrieve the key and decrypt your files.

One of the key differences between CryptoDefense and CryptoLocker is the fact that CryptoLocker generates its RSA key pair on the command and control server. CryptoDefense, on the other hand, uses the Windows CryptoAPI to generate the key pair on the user’s system. Now, this wouldn’t make too much of a difference if it wasn’t for some little known and poorly documented quirks of the Windows CryptoAPI. One of those quirks is that if you aren’t careful, it will create local copies of the RSA keys your program works with. Whoever created CryptoDefense clearly wasn’t aware of this behavior, and so, unbeknownst to them, the key to unlock an infected user’s files was actually kept on the user’s system, said Fabian, in a blog post titled The story of insecure ransomware keys and self-serving bloggers.

The method was witnessing success and helping people, until Symantec decided do a full exposé of the flaw and spill the beans via its blog post. The act from Symantec prompted the malware developer to update CryptoDefense, so that it no longer leaves the key behind.

Symantec researchers wrote:

Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape”.

To this the hackers replied:

Spasiba Symantec (“Thank You” in Russian). That bug has been fixed, says KnowBe4.

Currently, the only way to fix this is to make sure you have a recent backup of the files which actually can be restored. Wipe and rebuild the machine from scratch, and restore the files.

This post on BleepingComputers makes for an excellent read if you want to learn more about this Ransomware and combating the situation upfront. Unfortunately, the methods listed in its ‘Table of Contents’ works for 50% of the infection cases only. Still, it provides a good chance of getting your files back.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.