Skip to main content


Wana Decryptor / WanaCrypt0r

Alright, guys. This is a tough one: However, there's no reason to claim it's impossible to decrypt victims data. These idiots always let something slip through their fingers. Their servers might be found and keys restored to their respective victims. Errors might be found in their code, their key encryption scheme may have some weakness, etc. Let's just let the experts find a way out. By the way, if you want to temporarily protect your PC from this malware, you may do this.
Recent posts

Software Utilities and Assistance

We have been requested many times to provide download links to all the tools we have used (and developed) to reverse the encryption schemes of some ransomware. These tools include Network Sniffers, TCP/IP Traffic Dumpers, Hex Editors, Debuggers and so on. For those of you who like to get hands down to work, we'll gladly provide you with them. If you are not a computer geek and just need assistance, send us an E-mail and we'll try to fix your problem. Bear in mind that we get many requests per day, so you must be patient! Sincerely, the HD team.

Hit by Coinvault?

Kaspersky Labs devised a tool to recover files without charge. Click here. It's good to know that for every gang of cybercriminals out there, there's good people willing to help you out. WE HAVE HAD SOME ADVANCES TOO BUT WE ARE NOT DISCLOSING ANY INFORMATION, AS WE LEARNT FROM EXPERIENCE THAT IT ALERTS THOSE BEHIND THESE RANSOMWARE PROGRAMS. WE JUST WANT TO THANK ALL THOSE WHO DONATED TO HELP US BUY HARDWARE TO CONDUCT OUR TESTS. Keep in tune! there are more news yet to come! The fight goes on!

Update: CryptoDefense rebranded to CryptoWall

After the fortune they reaped with CryptoDefense, not only did the crooks buy more computers from a bot net. They also rebranded it to 'CryptoWall' and made considerable changes to its website: + Multilanguage Support + Slight color changes in their website. Now it looks nicer, I confess. + Support (You can message them in case you need help)  - Their English sucks, so I haven't noticed any improvement in this area. * Ransomware notes are now named as: DECRYPT_INSTRUCTION.txt DECRYPT_INSTRUCTION.html DECRYPT_INSTRUCTION.url What does it mean to 'buy computers'? Most computers that were hit by this nasty ransomware had been previosuly infected by a botnet. A botnet is a network of infected computers that can be spied and controlled by their masters (those who own the botnet network).  These computer programs are usually used to gather users' credentials to home-banking and to perform DDoS attacks on websites, etc. (Yes, you can pay these croo

It's been awhile

I am glad to announce that we were featured on PCWorld , one of the greatest computer magazines in the world. My old computer screen is dead, and I am using my phone to reply emails and update this blog. That's why I can't always reply quickly and why I ask for donations. Anyway... Cryptolocker and CryptoDefense have proven to be a highly profitable business warped around the anonymity of cryptocurrencies and the TOR network. You can expect more of this resurgent type of malware to sweep the Internet and spread as wildfire and, as you are reading this article, someone is writing the next cryptovirus that will enter the scene tomorrow; and I am not joking. The only fireproof measure against these nasty threats is backup using non-rewritable media such as DVD-R's and Blueray disks. Cloud storage such as Dropbox seemed safe at first glance but vĂ­ctims also reported they have lost their files there. To make matters even worse, some victims also reported being hit by two

You infected the wrong fool!

Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY . If that wasn't enough, we are also helping victims to recover their files without payment.  Dear CryptoDefense Authors, if you are reading this:  SCREW YOU . Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team. Next step is to report all your domain names (that you lamely use to infect more and more victims). Now, if you are a victim, feel free to write us at

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE! (I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!) This is the exact path where your keys are: Windows XP C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2... Windows 7 X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21... (X stands for your hard-disk letter, which is commonly C in most computers)   HEXCMP highlights in red the differences whereas identical bytes remain white. TCP/IP dumped data is identical to the key found on Disk.  The private key is encrypted via  DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system. I'll update this blog soon!