CryptoDefense
Posted: March 19, 2014
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 1/10 |
|---|---|
| Infected PCs: | 80 |
| First Seen: | March 24, 2014 |
|---|---|
| Last Seen: | April 19, 2023 |
| OS(es) Affected: | Windows |
The recently-identified CryptoDefense is a file encryptor Trojan that encrypts popular file formats on the infected PC, causing the associated files to become unusable. Although this damage is, in theory, reversible, the hundreds of dollars in ransom that CryptoDefense demands for decrypting your files is an overly expensive solution that malware researchers would suggest you avoid paying. Instead, you should restore any affected files from a remote backup, if necessary, after using standardized anti-malware techniques and software to remove CryptoDefense from your computer.
The Ransomware that's Easier to Avoid Than Remove
CryptoDefense is a 2014-era Trojan that uses file-encrypting attacks to hold your files hostage, after which CryptoDefense insists on a heavy fee being paid to re-allow access to them. Malware experts have observed major CryptoDefense distribution methods leaning on the use of fraudulent Flash updates, media player updates and similar exploits, which can be blocked with strong security settings and software designed to disable browser-based attacks. They may be found on poorly-secured advertising networks, corrupted websites designed to look like streaming media domains and, occasionally, hacked websites.
Although it shouldn't be difficult to avoid CryptoDefense's infection vectors, once CryptoDefense's compromised your PC, CryptoDefense will use a RSA-2048 encryption system to 'scramble' the contents of common files, such as TXT, JPG or MP3. The complexity of this form of encryption means that, until now, there are no known tools for decrypting the attack freely. CryptoDefense also deletes the automatic file copies created on a daily basis by the Windows VSS (or Volume Shadow Copy Service). This makes it effectively impossible to restore your files, unless you have a remote backup on a secondary hard drive (such as any USB device) that hasn't been compromised by CryptoDefense.
Of course, CryptoDefense also is a 'business', and, as such, will try to extort money by placing text instructions for paying its ransom on your hard drive. This file, How_Decrypt.txt, suggests installing the 'Tor' Web browser, an 'anonymity network' program, and then commencing with a BitCoin-based payment to a Web address that's concealed through a proxy service. However, malware researchers warn that there are no guarantees that any decryption keys will be provided by CryptoDefense's creators, even if you do submit to their demands, which is why alternate solutions always are encouraged.
A Practical Defense Against the Latest in CryptoDefense Trojans
Although its attacks hardly are new to malware analysts, CryptoDefense's recent development is just a sample of how new threats can make use of old, but still effective attacks to harm PCs. As usual, the delivery system is CryptoDefense's greatest weak point, and PCs that avoid unsafe websites, scan files before launching them and have up-to-date anti-malware protection are at less risk from CryptoDefense installations than unprotected machines. Another important factor in crippling CryptoDefense's ransom attempt is the potential for keeping remote backups of critical files, which will let you restore them easily in the event of attacks by CryptoDefense or other threatening software.
CryptoDefense also is an example of how ostensibly beneficial technologies may be used for harmful actions. This isn't the first time malware experts have noted threats making use of BitCoins as a favored transaction method, and CryptoDefense isn't the first Trojan to abuse Tor privacy features for protecting cybercrooks. However, your own anti-malware technology should be up to removing CryptoDefense as needed, assuming that you take all appropriate defensive steps before scanning your PC. Thorough scans of any compromised PC especially are recommended to counter the potential for other threats being installed with CryptoDefense, which has been seen accompanied by adware and even other kinds of file encryptors.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%UserProfile%\Desktop\HOW_DECRYPT.TXT
File name: %UserProfile%\Desktop\HOW_DECRYPT.TXTMime Type: unknown/TXT
Group: Malware file
%UserProfile%\Desktop\HOW_DECRYPT.URL
File name: %UserProfile%\Desktop\HOW_DECRYPT.URLMime Type: unknown/URL
Group: Malware file
%UserProfile%\Desktop\HOW_DECRYPT.HTML
File name: %UserProfile%\Desktop\HOW_DECRYPT.HTMLMime Type: unknown/HTML
Group: Malware file
Registry Modifications
HKEY..\..\{CLSID Path}HKEY_CURRENT_USER\Software\[UNIQUE ID]\PROTECTEDHKEY..\..\{Value}HKEY_CURRENT_USER\Software\[UNIQUE ID] "finish" = "1"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\[UNIQUE ID]
Additional Information
| # | Message |
|---|---|
| 1 | All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files. In order to decrypt the files, open your personal page on the site rj2bocejarqnpuhm.onion.to/XXX and follow the instructions. If rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below: 1. You must download and install this browser torproject.org/projects/torbrowser.html.en 2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/XXX 3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files. IMPORTANT INFORMATION: Your Personal PAGE: rj2bocejarqnpuhm.onion.to/XXX Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX Your Personal CODE(if you open site directly): XXX |
How do I use the private RSA key to decrypt my files & documents?