CryptoDefense Description

The recently-identified CryptoDefense is a file encryptor Trojan that encrypts popular file formats on the infected PC, causing the associated files to become unusable. Although this damage is, in theory, reversible, the hundreds of dollars in ransom that CryptoDefense demands for decrypting your files is an overly expensive solution that malware researchers would suggest you avoid paying. Instead, you should restore any affected files from a remote backup, if necessary, after using standardized anti-malware techniques and software to remove CryptoDefense from your computer.

The Ransomware that’s Easier to Avoid Than Remove

CryptoDefense is a 2014-era Trojan that uses file-encrypting attacks to hold your files hostage, after which CryptoDefense insists on a heavy fee being paid to re-allow access to them. Malware experts have observed major CryptoDefense distribution methods leaning on the use of fraudulent Flash updates, media player updates and similar exploits, which can be blocked with strong security settings and software designed to disable browser-based attacks. They may be found on poorly-secured advertising networks, corrupted websites designed to look like streaming media domains and, occasionally, hacked websites.

Although it shouldn’t be difficult to avoid CryptoDefense’s infection vectors, once CryptoDefense’s compromised your PC, CryptoDefense will use a RSA-2048 encryption system to ‘scramble’ the contents of common files, such as TXT, JPG or MP3. The complexity of this form of encryption means that, until now, there are no known tools for decrypting the attack freely. CryptoDefense also deletes the automatic file copies created on a daily basis by the Windows VSS (or Volume Shadow Copy Service).

» Learn more about SpyHunter's Spyware Detection Tool
and steps to uninstall SpyHunter.

This makes it effectively impossible to restore your files, unless you have a remote backup on a secondary hard drive (such as any USB device) that hasn’t been compromised by CryptoDefense.

Of course, CryptoDefense also is a ‘business’, and, as such, will try to extort money by placing text instructions for paying its ransom on your hard drive. This file, How_Decrypt.txt, suggests installing the ‘Tor’ Web browser, an ‘anonymity network’ program, and then commencing with a BitCoin-based payment to a Web address that’s concealed through a proxy service. However, malware researchers warn that there are no guarantees that any decryption keys will be provided by CryptoDefense’s creators, even if you do submit to their demands, which is why alternate solutions always are encouraged.

A Practical Defense Against the Latest in CryptoDefense Trojans

Although its attacks hardly are new to malware analysts, CryptoDefense’s recent development is just a sample of how new threats can make use of old, but still effective attacks to harm PCs. As usual, the delivery system is CryptoDefense’s greatest weak point, and PCs that avoid unsafe websites, scan files before launching them and have up-to-date anti-malware protection are at less risk from CryptoDefense installations than unprotected machines. Another important factor in crippling CryptoDefense’s ransom attempt is the potential for keeping remote backups of critical files, which will let you restore them easily in the event of attacks by CryptoDefense or other threatening software.

CryptoDefense also is an example of how ostensibly beneficial technologies may be used for harmful actions. This isn’t the first time malware experts have noted threats making use of BitCoins as a favored transaction method, and CryptoDefense isn’t the first Trojan to abuse Tor privacy features for protecting cybercrooks. However, your own anti-malware technology should be up to removing CryptoDefense as needed, assuming that you take all appropriate defensive steps before scanning your PC. Thorough scans of any compromised PC especially are recommended to counter the potential for other threats being installed with CryptoDefense, which has been seen accompanied by adware and even other kinds of file encryptors.

CryptoDefense Automatic Detection Tool (Recommended)

Is your PC infected with CryptoDefense? To safely & quickly detect CryptoDefense we highly recommend you run the malware scanner listed below.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
  • The following files were created in the system:
    # File Name
    1 %UserProfile%\Desktop\HOW_DECRYPT.HTML
    2 %UserProfile%\Desktop\HOW_DECRYPT.TXT
    3 %UserProfile%\Desktop\HOW_DECRYPT.URL

Registry Modifications

Tutorial: To edit and delete registry entries manually, read the tutorial on how to remove malicious registry entries.

Tip & Warning: Editing and removing the wrong registry keys can severely damage your PC, so remember to backup your Windows Registry! To optimize your Windows Registry and speed up your PC, download RegHunter's registry cleaner.
  • The following newly produced Registry Values are:
    HKEY..\..\{Value}HKEY_CURRENT_USER\Software\[UNIQUE ID] "finish" = "1"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\[UNIQUE ID]
  • The following CLSID's were detected:

Additional Information

  • The following messages's were detected:
    # Message
    1All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.

    Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

    The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.

    In order to decrypt the files, open your personal page on the site and follow the instructions.

    If is not opening, please follow the steps below:

    1. You must download and install this browser
    2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/XXX
    3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.


    Your Personal PAGE:
    Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
    Your Personal CODE(if you open site directly): XXX
Posted: March 19, 2014 | By
Rate this article:
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 3.50 out of 5)
Loading ... Loading ...
Threat Metric
Threat Level: 10/10

One Comment

Leave a Reply

What is 9 + 4 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)