Skip to main content

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE!

 (I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!)

 This is the exact path where your keys are:
Windows XP
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2...
Windows 7
X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21...
(X stands for your hard-disk letter, which is commonly C in most computers) 

HEXCMP highlights in red the differences whereas identical bytes remain white.
TCP/IP dumped data is identical to the key found on Disk. 

The private key is encrypted via DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system.

 I'll update this blog soon!



Comments

  1. AnonymousMarch 26, 2014 at 9:22 AM

    I've got some nice small files, the key, and some timestamps... how should I get them to you?

    ReplyDelete
  2. AnonymousMarch 26, 2014 at 11:17 AM

    Not seeing nearly enough thanks being given to you for your hard work and efforts to remedy this douchebags handiwork. Excellent work man, and good luck with your efforts!

    ReplyDelete
  3. AnonymousAugust 21, 2014 at 10:42 AM

    I greatly appreciate all of your hard work, and if I can help in my limited way, please let me know.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wana Decryptor / WanaCrypt0r

Alright, guys. This is a tough one: However, there's no reason to claim it's impossible to decrypt victims data. These idiots always let something slip through their fingers. Their servers might be found and keys restored to their respective victims. Errors might be found in their code, their key encryption scheme may have some weakness, etc. Let's just let the experts find a way out. By the way, if you want to temporarily protect your PC from this malware, you may do this.
Post a Comment
Read more

You infected the wrong fool!

Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY . If that wasn't enough, we are also helping victims to recover their files without payment.  Dear CryptoDefense Authors, if you are reading this:  SCREW YOU . Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team. Next step is to report all your domain names (that you lamely use to infect more and more victims). Now, if you are a victim, feel free to write us at howdecrypt@gmail.com
1 comment
Read more