Skip to main content

Posts

Showing posts from 2014

Update: CryptoDefense rebranded to CryptoWall

After the fortune they reaped with CryptoDefense, not only did the crooks buy more computers from a bot net. They also rebranded it to 'CryptoWall' and made considerable changes to its website: + Multilanguage Support + Slight color changes in their website. Now it looks nicer, I confess. + Support (You can message them in case you need help)  - Their English sucks, so I haven't noticed any improvement in this area. * Ransomware notes are now named as: DECRYPT_INSTRUCTION.txt DECRYPT_INSTRUCTION.html DECRYPT_INSTRUCTION.url What does it mean to 'buy computers'? Most computers that were hit by this nasty ransomware had been previosuly infected by a botnet. A botnet is a network of infected computers that can be spied and controlled by their masters (those who own the botnet network).  These computer programs are usually used to gather users' credentials to home-banking and to perform DDoS attacks on websites, etc. (Yes, you can pay these croo

It's been awhile

I am glad to announce that we were featured on PCWorld , one of the greatest computer magazines in the world. My old computer screen is dead, and I am using my phone to reply emails and update this blog. That's why I can't always reply quickly and why I ask for donations. Anyway... Cryptolocker and CryptoDefense have proven to be a highly profitable business warped around the anonymity of cryptocurrencies and the TOR network. You can expect more of this resurgent type of malware to sweep the Internet and spread as wildfire and, as you are reading this article, someone is writing the next cryptovirus that will enter the scene tomorrow; and I am not joking. The only fireproof measure against these nasty threats is backup using non-rewritable media such as DVD-R's and Blueray disks. Cloud storage such as Dropbox seemed safe at first glance but víctims also reported they have lost their files there. To make matters even worse, some victims also reported being hit by two

You infected the wrong fool!

Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY . If that wasn't enough, we are also helping victims to recover their files without payment.  Dear CryptoDefense Authors, if you are reading this:  SCREW YOU . Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team. Next step is to report all your domain names (that you lamely use to infect more and more victims). Now, if you are a victim, feel free to write us at howdecrypt@gmail.com

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE! (I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!) This is the exact path where your keys are: Windows XP C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2... Windows 7 X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21... (X stands for your hard-disk letter, which is commonly C in most computers)   HEXCMP highlights in red the differences whereas identical bytes remain white. TCP/IP dumped data is identical to the key found on Disk.  The private key is encrypted via  DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system. I'll update this blog soon!

Working backwards to the seeds! (OUTDATED)

Note:  This article is technically accurate and it can be applied to rudimentary RSA implementations that only use time retrieval functions as seed as demonstrated by CS Students from Virginia University .  However, CryptoDefense  uses CrytoAPI which uses a robust PRNG based on  process ID, thread ID,  system clock, system time, system counter, memory status, free disk clusters,  etc . I dramatically changed the keys recovery approach as soon as I found out the keys were stored on disk.    Why keep this article then? Oh, we wanted the crooks to think we were down the wrong path ;) Do NOT use somebody else's decryption program! The reason why each key is unique and why you can't use somebody else's decryption program is because this ransomware randomly generates the keys for each victim. If there was a unique private key for everyone, there would be no need to panic! But the is a problem... Software alone is technically incapable of generating random numbers in i

Good News (part 2)

Hey guys! After some -lot of- research and reverse-engineering, I decided to create a video which explains how to recover the private keys via a sniffer. Mind you, in some countries (United States and the United Kingdom and some countries in the European Union), ISPs are requested by law to retain data for over a year or so. Therefore, the authorities are able to retrieve the information (metadata) you sent and received anytime, including the day you got infected. It isn't hard for them to do, but that of course implies a long judicial process. Instead of paying the crooks, try to get in touch with the police and point out the existence of this law. I am also working on a program to to brute-force the key based on  parameters found inside the victim's computer  which I won't disclose right now. It appears that although the 2048 bits is certainly strong, they used a weak seeding which is quite simple and a brute-force attack can be performed within an manageable

Good news!

ONLY FOR THOSE INFECTED WITH 'CRYPTODEFENSE' MALWARE. I've found a weakness in the malware samples which would allow me to regenerate the private key! . Now it'd be possible to recover files without paying the crooks a penny (though it's not as easy as it sounds). I won't comment any further as I don't want to alert the cyber-crooks.

Cryptodefense: Malware Analysis & Reverse-Engineering

I've been a computer geek for ages and here are my conclusions. I've been gathering as much information as I could during these days, and there are many variants of Ramsomware from apparently different authors. Some of them do not completely encrypt your files, except their first 512 bytes by which it's possible to decrypt with an easy-to-use tool voluntarily made by BleepingComputer programmers [Link] . There's another variant that entirely encrypts your files but, due to a failure in its design, it uses a much weaker 128 bits encryption instead which can be easily broken a standard computer in a matter of hours. [Link] Then there's the newest, known as CryptoDefense that completely encrypts your files. If you were unlucky enough to get in contact with the latter and if you want some more technical information about it, here's my analysis.  1. Encrypted File Samples: HEXCMP comes visually effective when comparing two binary files. These two encryp

Welcome to the "Decrypt Service"

Doesn't that sound way too brandy? Like those smiling guys from -let's suppose-  Big Bob's Repair Service 24 Hours you see when you crash your car in the middle of the road? They sure become handy in situations like this, but Damn! Big Bob's guys did not destroy your car in the first place! That's like stabbing you in the neck and later offer you a medical service. WHAT?! Anyway... The Decrypt Service is the server, the webpage that will provide you with the program you need to decrypt your files back to their original form (after payment). This server is hidden behind Onion.to , which means it's horrendously difficult to trace. Maybe their server is in Russia, China or even your at your neighbor's. One can't really tell because Onion.to creates a chain of randomly chosen computers as a path to the final server. This chain-route can go from Miami to Russia, then to Australia, then back to Miami and then finally to the crook's server. The Onion

Your files got encrypted by a RANSOMWARE!

On March 14, 2014 I got infected by a ransomware, a malicious program that encrypts your files upon infection and demands a payment in order to recover your files. This particular malware called CryptoDefense  creates the following files after it has encrypted all your videos, music and documents: " HOW_DECRYPT.TXT" , " HOW_DECRYPT.HTML" and " HOW_DECRYPT.URL" hence  the name of this blog.  Screenshot of files on Windows 7 The text in these files reads: All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software. Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.  The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet;  the server will destroy the key after a month. After that, nobody and never will be able to restore files. In order to decry