Skip to navigation
Latest News

Dumb CryptoDefense hackers leave keys on victims' PCs

cryptolocker

By Stewart Mitchell

Posted on 1 Apr 2014 at 12:27

The latest Crypto ransomware scam – CryptoDefense – leaves victims with a key to unlock their own PC, according to security researchers.

The aggressive CryptoLocker ransomware appeared last year, locking files on victims' computers and only offering a decryption key in return for payment of a ransom.

The success of the scam – it had infected an estimated 250,000 PCs between September and December last year – has encouraged copycats, with CryptoDefense appearing in February and demanding $500 for a key to unlock files.

According to security firm Symantec, the latest iteration is earning its creators $34,000 a month, but while previous versions have been uncrackable without payment, CryptoDefense includes flaws that could allow victims to escape with payment.

The decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server

"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," said Symantec in a blog.

"With CryptoLocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys," Symantec said. "With CryptoDefense, the attackers had overlooked one important detail: where the private key was stored."

The company said the RSA-2048 encryption was done using Microsoft’s cryptographic infrastructure and Windows APIs to perform the key generation, before sending it back in plain text to the attacker’s server.

"This method means that the decryption key the attackers are holding for ransom actually still remains on the infected computer after transmission to the attackers server," Symantec said.

The security firm said private keys could be found in the folder Application Data > Application Data > Microsoft > Crypto > RSA.

Is your business a social business? For helpful info and tips visit our hub.

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Reality.

What percentage of those affected is this news actually likely to help? Anyone fancy having a guess if not too sure? Just wondered.

By adolfobama on 2 Apr 2014

I got the private key, what next

I got infected by Cryptodefense, I found the private key, what do I do next? How to use the key? Any help?

By jimha on 2 Apr 2014

I got the private key, what next

I got infected by Cryptodefense, I found the private key, what do I do next? How to use the key? Any help?

By jimha on 2 Apr 2014

I got the private key, what next

I got infected by Cryptodefense, I found the private key, what do I do next? How to use the key? Any help?

By jimha on 2 Apr 2014

Simple

Ask the NSA for the other half, they have compromised the issue of the Microsoft RSA 2048 pairs... ;-)

By Gindylow on 3 Apr 2014

What does the key look like?

I haven't been hit by the Cryptodefense Trojan (yet); but thinking it might still be lurking on my system I went to the Crypto/RSA file as directed and, thinking I would see nothing, but just to see what, if anything, was there.

I'm shocked to see TWELVE files! All Greek to me, their titles are just long strings of nonsense.
All, however have in common that their size is 1kb or 2kb.

What are these? More importantly, how would I recognize a Crypto Defense Key if it was there?

By Phrixos on 5 Apr 2014

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.