CryptoDefense Ransomware and how Symantec helped it fix its flaw!

CryptoDefense ransomware is dominating discussions these days. Victims falling prey to this variant of Ransomware have been turning to different forums in large numbers, seeking support from experts. Considered as a type of ransomware, the program apes the behavior of CryptoLocker, but cannot be considered as complete derivative of it, for the code it runs is completely different. Moreover, the damage it causes is potentially vast.

CryptoDefense Ransomware

CryptoDefense Ransomware

The origin of the Internet miscreant can be traced from the furious competition held between cyber-gangs late February 2014. It led to the development of a potentially harmful variant of this ransomware program, capable of scrambling a person’s files and forcing them to make a payment for recovering the files.

CryptoDefense, as it is known, targets text, picture, video, PDF and MS Office files. When an end-user opens the infected attachment, the program begins encrypting its target files with a strong RSA-2048 key which is hard to undo. Once the files are encrypted, the malware puts forth a ransom-demand files in every folder containing encrypted files.

Upon opening the files, victim finds a CAPTCHA page. If the files are too important for him and he wants them back, he accepts the compromise. Proceeding further, he has to fill out the CAPTCHA correctly and the data is sent to the payment page. The price of the ransom is predetermined, doubled if the victim fails to comply with the developer’s instructions within a defined time period of four days.

The private key needed to decrypt the content is available with the developer of the malware and is sent back to the attacker’s server only when the desired amount is delivered in full as ransom. The attackers appear to have created a “hidden” website to receive payments. After the remote server confirms the recipient of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location. CryptoDefense allows you to pay the ransom by sending Bitcoins to an address shown in the malware’s Decrypt Service page.

Although the entire scheme of things appears to be well worked out, CryptoDefense ransomware when it first appeared did have a few bugs. It left the key right on the victim’s computer itself! 😀

This, of course, requires technical skills, that an average user might not possess, to figure out the key. The flaw was first noticed by Fabian Wosar of Emsisoft and led to the creation of a Decrypter tool that could potentially retrieve the key and decrypt your files.

One of the key differences between CryptoDefense and CryptoLocker is the fact that CryptoLocker generates its RSA key pair on the command and control server. CryptoDefense, on the other hand, uses the Windows CryptoAPI to generate the key pair on the user’s system. Now, this wouldn’t make too much of a difference if it wasn’t for some little known and poorly documented quirks of the Windows CryptoAPI. One of those quirks is that if you aren’t careful, it will create local copies of the RSA keys your program works with. Whoever created CryptoDefense clearly wasn’t aware of this behavior, and so, unbeknownst to them, the key to unlock an infected user’s files was actually kept on the user’s system, said Fabian, in a blog post titled The story of insecure ransomware keys and self-serving bloggers.

The method was witnessing success and helping people, until Symantec decided do a full exposé of the flaw and spill the beans via its blog post. The act from Symantec prompted the malware developer to update CryptoDefense, so that it no longer leaves the key behind.

Symantec researchers wrote:

Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape”.

To this the hackers replied:

Spasiba Symantec (“Thank You” in Russian). That bug has been fixed, says KnowBe4.

Currently, the only way to fix this is to make sure you have a recent backup of the files which actually can be restored. Wipe and rebuild the machine from scratch, and restore the files.

This post on BleepingComputers makes for an excellent read if you want to learn more about this Ransomware and combating the situation upfront. Unfortunately, the methods listed in its ‘Table of Contents’ works for 50% of the infection cases only. Still, it provides a good chance of getting your files back.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by on , in Category Security with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.

9 Comments

  1. Dan

    A tough one for now for sure; all I can find is scant Symantec data indicating Cryptodefense is a trojan that upon initiating first calls pings a remote server, then upon answer send that server a screenshot of the infected user screen and begins encrypting whatever it’s set to encrypt; details are so scant online about how to protect a Windows API specifically, or what AV (if any at moment) can spot it, what can be suggested….use a proven really good browser spoofer which can also “fake out” what OS it’s on and hope the stuff flubs w/o your ever knowing, and/or block all outbound network/PC traffic, scan the heck out of every intended file, update all anti-malware, run GMER or CrowdInspect, open some file you think you must, hope if it can’t phone home and background scans see it you can clean it? Again, not much reassurance from the internet on this “bug-fixed” CryptoDefense, not even from HitManPro Alert yet which at least does well against Cryptolocker.

    As if CryptoDefense isn’t enough, four days ago Comodo AV Labs appear to have found a brand spanking new Zeus banking trojan variant that uses a certificate taken as valid; per Comodo quote: “It attempts to trick the user into executing it by presenting itself as some type of Internet Explorer document, including an icon similar to the Windows browser. What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to “isonet ag”. [End of quote]”. At present, it appears to me anyway the only advice Comodo is giving is to use a sandbox for browsers, or ala its CIS “Virtual kiosk” run your browsers therein.

    Thanks for your great article, and I hope I had something useful to add; can’t wait until Windows Club has more admin/community advice about blocking these scurvy plagues more effectively.

  2. Thanks Dan, your comments always enrich the post! 🙂

  3. somehint

    I wonder when will be the first Class Action lawsuit toward Symantec for helping cyber criminals in this.

    Actually, Symantec makes money out of selling antivirus, and if there’s some quick way to fix an infected computer, it’s against their business of selling proactive security measure that you need to buy *before* the infection happens.
    Hence they could be seen as complicit here.

  4. Kevstar10

    Hi. Do you know if there is a way to decrypt the files without paying the ransom? Unfortunately I don’t have a file back up and cannot afford to lose them.

  5. Asking on Bleeping Computer forum might give you some ideas. They are good at this stuff. 🙂

  6. Tom

    This bug has completely taken over my computer and with mum passing away all our photos were on here and her funeral videos as well. It has left me devastated,
    Can anyone please tell me how I got this on my computer and is there anyway I can get this off to recover my photos and videos.
    Regards Tom

  7. Kerry

    Hi Tom – I feel for you. I found this Youtube instructional useful for the virus/trojan removal: http://www.youtube.com/watch?v=m-D_zxdSNVk Following the removal I installed and used ShadowExplorer (it’s free) to restore earlier versions of some of the photos. After looking at what I wanted to retrieve eg by USB stick, I reformatted the laptop and reinstalled windows. I have since learned that Microsoft Security Essentials is not good enough anymore – and have installed Avast.

  8. This site doesn’t work with cryptodefense, but it may work for you:

    http://www.decryptcryptolocker.com/

Leave a Reply

Your email address will not be published. Required fields are marked *


7 + 2 =