CryptoDefense and How_Decrypt Ransomware Information Guide and FAQBy Lawrence Abrams on March 19, 2014 @ 08:28 PM | Last Updated: April 4, 2014 | Read 115,061 times.
Table of Contents
If you are infected the with CryptoDefense, or HOW_DECRYPT.txt, ransomware you can use this guide to learn more about the infection and what you can do once you are infected. At this time, there is method to decrypt your files that works 50% of the time. For instructions on how to decrypt your files, please see this section. I would like to thank Fabian Wosar, DecrypterFixer and Steven Wooton for there assistance with gathering information on this infection.
There is an active CryptoDefense support topic, which contains discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by CryptoDefense. This topic also contains information on how to attempt restoring files that were encrypted by CryptoDefense. If you are interested in this infection or wish to ask questions about it, please visit this CryptoDefense support topic. Once at the topic, and if you are a member, you can subscribe to it in order to get notifications when someone adds more information to the topic.
CryptoDefense is a ransomware program that was released around the end of February 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When a computer is infected, the infection will perform the following actions:
This payment site is located on the Tor network and you can only make the payment in Bitcoins. Though this infection has numerous similarities to CryptoLocker or CryptorBit, there is no evidence that they are related. In order to purchase the decryptor for your files you need to pay a $500 USD ransom in Bitcoins. If you do not pay the ransom within 4 days it will double to $1,000 USD. They also state that if you do not purchase a decryptor within one month, they will delete your private key and you will no longer be able to decrypt your files.
The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the infected computer. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same computer will contain the same unique identifier. This identifier is probably used by the Decrypt Service web site to identify the private key that can be used to decrypt the file when performing a test decryption. You can see these strings of text in a hex editor as shown below:
Based on research performed by DecrypterFixer, it appears that this infection is installed through programs that pretend to be flash updates or video players required to view an online video. When these downloads are run, numerous adware will be installed along with CryptoDefense. From screenshots of other infected computers, it is also not uncommon for infected computer's to also have CryptoLocker or CryptorBit installed on them as well.
If you were infected by CryptoDefense on April 1st 2014 or before, then there is a chance you can recover the decryption key that can be used to decrypt your files. This is because the malware developer had a flaw in the CryptoDefense program that left behind the public decryption key. Fabian Wosar of Emsisoft discovered this flaw and had created a decrypter that could potentially retrieve the key and decrypt your files. Fabian, and others, were then helping victims privately on how to use this tool so that the malware developer would not know how to fix the flaw in their program. Unfortunately, Symantec decided to blog about this flaw, instead of keeping it quiet, which led the malware developer to update CryptoDefense so it no longer leaves behind the key. In my opinion, this was irresponsible as Symantec chose publicity over helping the victims.
With this said, if you were infected with CryptoDefense before April 1st 2014, you should read the following section in order to attempt to retrieve your key and decrypt your files:
If the Emsisoft's tool is unable to retrieve your decryption key, then your only other method is to try and restore your from a shadow copy. As CryptoDefense attempts to clear your shadow copies when it is installed this may not work either. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
Unfortunately, if none of the above methods work, your only alternative will be to restore from an available backup.
If you were infected before April 1st, 2014 then you may have been infected with a variant that mistakenly left the private decryption key behind on the computer. To begin please download decrypt_cryptodefense.zip from the following URL and save it to your desktop.
Once the file has been downloaded, right-click on the file and select Extract All ... . An extraction wizard will open that will guide you through the encryption process. If you left all of the check marks checked during the extraction wizard, the extracted folder will automatically open.
Inside the folder you will see two files. One file is a tool called CryptoOffence (CryptoOffense.exe) that can be used to extract the decryption key to a file called secret.key. You only need to use this file if you wish to decrypt encrypted files using a different computer. For more information on how to use this tool, please see the How to export your key and decrypt from another computer section below.
The directory also contains a tool called decrypt_cryptodefense.exe. This program is a CryptoDefense decrypter that we will be using to automatically extract the encryption key from your computer and decrypt your files. If you are logged into the infected machine as the infected user, please double-click on the decrypt_cryptodefense.exe file to launch the Emsisoft CryptoDefense Decrypter tool. When you run this file, if it is detected by your anti-virus software, please be rest-assured that the file is harmless. You can either white list the file in your anti-virus software or disable your anti-virus system for the time of decryption. For further instructions on how to do that, please refer to the manual of your anti-virus software.
The Emsisoft CryptoDefense Decrypter will now be launched and you will be shown a screen similar to the one below.
This program will recursively scan all folders that are added for encrypted files. When you are ready to start the decryption process simply click on the Decrypt button.
Emsisoft will now attempt to extract the decryption key from the logged in account. If a key is detected, you will see the following message in the log:
If a key is detected it will automatically begin to decrypt the encrypted files on your computer. This process can take quite a while, so please be patient while it processes your files. While the program decrypts your files it may appear to hang on a particular file and the program will appear to not respond. This is normal and when it has finished decrypting the file it will start responding again.
When you run decrypt_cryptodefense.exe, it if is unable to extract the key it will display the alert shown below and unfortunately not be able to decrypt your files.
In this situation we have one last chance of possibly recovering your decryption key. The decryption key is stored in the %appdata%\Microsoft\Crypto\RSA folder. If your Shadow Volume Copies are intact you can restore that folder to a previous version in the hopes that you will be restoring the key that encrypted your files. You can then run the decrypt_cryptodefense.exe program again and see if it can load the correct key and decrypt your files.
Before you restore your RSA folder it is strongly suggested that you backup your %appdata%\Microsoft\Crypto\RSA folder. Also if you are using EFS, then be careful with restoring your RSA folder. At a bare minimum you must backup your certificates using the instructions in this Microsoft document.
If you run into any problems or do not feel completely comfortable following these instructions on your own, please feel free to ask for more guidance in the CryptoDefense Support Topic.
If you wish to decrypt encrypted files from another computer you will need to perform some additional steps. As decrypt_cryptodefense.exe will try to automatically retrieve the key from the infected computer, this will obviously not work if you run the program from a different computer. Instead you will first need to export the decryption key on the infected computer as a file called secret.key and then copy it to the computer where wish to perform the decryption.
To do this, copy the CryptoOffense.exe file from the decrypt_cryptodefense.zip file to the infected computer. When logged in as the infected user, run the CryptoOffense.exe program. If everything works, you will see output like this:
You will now find a new file named "secret.key" in the same directory as the CryptoOffense.exe program you just ran. You can then copy that secret.key file to your decryption computer and place it in the same folder as the decrypt_cryptodefense.exe tool. Now when you run decrypt_cryptodefense.exe on the decryption computer it will automatically load the secret.key and allow you to decrypt the files.
If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Also, CryptoDefense tries to clear these shadow copies, so they may not contains your documents after you become infected. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.
In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called Shadow Explorer. It does not hurt to try both and see which methods work better for you.
Using native Windows Previous Versions:
To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.
To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.
This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.
You can also use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.
When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.
To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.
When you are infected with CryptoDefense, the infection will create How_Decrypt.txt and How_Decrypt.html files that contain information on how to pay the ransom. Below is the contents of the How_Decrypt.txt and How_Decrypt.html messages:
The instructions tell the victim that in order to pay the ransom they need to go to a special Decrypt Service site where they can enter their personal code and access they payment page. This site can be accessed via the Tor address rj2bocejarqnpuhm.onion or through https://rj2bocejarqnpuhm.onion.to using a normal browser. When a user visits the Decrypt Service site they will be presented with a page that contains information about how much they need to pay to purchase the decryption program. The site will also contains a Frequently Asked Questions page, a page that shows the screen shot of your active Windows screen from when you became infected, and a page where you can perform a test decryption on one file.
In order to pay the ransom, you will need to send the requested bitcoins to the listed bitcoin address. Once you send the bitcoins you then need to submit the transaction ID on their site and click on the Pay button. Once the transaction has been verified you will be given a link where you can download the decryptor, which is shown below.
When you run the decryptor it will read the registry to find files that need to be decrypted. If the registry entries do not exist it will prompt you to specify a folder to scan for encrypted files.
CryptoDefense allows you to pay the ransom by sending bitcoins to an address shown in the CryptoDefense Decrypt Service page. Bitcoins are currently worth over $600 USD on some bitcoins exchanges. The Bitcoin addresses used by CryptoDefense to receive payments are:
You can use the links above to see transactions into the wallet and out of the wallet. You can typically tell which payments to this address are from ransom victims as there will be many payments with similar amounts.
03/19/14 - Initial guide creation
Associated CryptoDefense Files:
Associated CryptoDefense Windows Registry Information:
This is a self-help guide. Use at your own risk.
BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.
If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.
|Tech Support Forums | The Computer Glossary | RSS Feeds | Startups | The File Database | Virus Removal Guides | Downloads|