Welcome Guest (Log In | Create Account)
New Member? Join for free.

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

By on March 19, 2014 @ 08:28 PM | Last Updated: April 4, 2014 | Read 115,061 times.
  • Print this page

Table of Contents

  1. How to get help with CryptoDefense
  2. What is CryptoDefense or the HOW_DECRYPT.txt Ransomware
  3. How to decrypt files encrypted by CryptoDefense
  4. How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor
  5. How to restore files encrypted by CryptoDefense using Shadow Volume Copies
  6. Information about the Malware Developer's CryptoDefense Decrypt Service Site
  7. Known Bitcoin Payment addresses for CryptoDefense

 

If your computer has been infected with CryptoDefense there may be a chance to restore your files. Fabian Wosar of Emsisoft discovered a method that allows you to decrypt your files if you were infected before April 1st 2014. Unfortunately, this only works for 50% of the infection cases but still provides a good chance of getting your files back.

For instructions on how to do this, please read this section:

How to decrypt files encrypted by CryptoDefense

If you need assistance with the above instructions, please ask in the CryptoDefense Support Topic.

 

How to get help with CryptoDefense

If you are infected the with CryptoDefense, or HOW_DECRYPT.txt, ransomware you can use this guide to learn more about the infection and what you can do once you are infected. At this time, there is method to decrypt your files that works 50% of the time. For instructions on how to decrypt your files, please see this section. I would like to thank Fabian Wosar, DecrypterFixer and Steven Wooton for there assistance with gathering information on this infection.

There is an active CryptoDefense support topic, which contains discussion and the experiences of a variety of IT consultants, end users, and companies who have been affected by CryptoDefense. This topic also contains information on how to attempt restoring files that were encrypted by CryptoDefense. If you are interested in this infection or wish to ask questions about it, please visit this CryptoDefense support topic. Once at the topic, and if you are a member, you can subscribe to it in order to get notifications when someone adds more information to the topic.

 

What is CryptoDefense or the How_Decrypt Ransomware

CryptoDefense is a ransomware program that was released around the end of February 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When a computer is infected, the infection will perform the following actions:

  • Connects to the Command and Control server and uploads your private key.

  • Deletes all Shadow Volume Copies so that you cannot restore your files form the Shadow Volumes. This means you will only be able to restore your files by restoring from backup or paying the ransom. In some cases the infection does not properly clear the shadow copies, so you may want to use the instructions below to see if you can restore from them.

  • Scan your computer and encrypt data files such as text files, image files, video files, and office documents.

  • Create a screenshot of your active Windows screen and upload it their Command & Control server. This screen shot will be inserted in your payment page on their Decrypt Service site, which is explained further in this FAQ.

  • Creates a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.

  • Creates a HKCU\Software\<unique ID>\ registry key and stores various configuration information in it. It will also list all the encrypted files under the HKCU\Software\<unique ID>\PROTECTED key.

 

CryptoDefense screen shot
CryptoDefense screen shot
For more screen shots of this infection click on the image above.
There are a total of 1 images you can view.

 

This payment site is located on the Tor network and you can only make the payment in Bitcoins. Though this infection has numerous similarities to CryptoLocker or CryptorBit, there is no evidence that they are related. In order to purchase the decryptor for your files you need to pay a $500 USD ransom in Bitcoins. If you do not pay the ransom within 4 days it will double to $1,000 USD. They also state that if you do not purchase a decryptor within one month, they will delete your private key and you will no longer be able to decrypt your files.

The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the infected computer. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same computer will contain the same unique identifier. This identifier is probably used by the Decrypt Service web site to identify the private key that can be used to decrypt the file when performing a test decryption. You can see these strings of text in a hex editor as shown below:

Hex Editor showing Encrypted File

Based on research performed by DecrypterFixer, it appears that this infection is installed through programs that pretend to be flash updates or video players required to view an online video. When these downloads are run, numerous adware will be installed along with CryptoDefense. From screenshots of other infected computers, it is also not uncommon for infected computer's to also have CryptoLocker or CryptorBit installed on them as well.

 

How to decrypt files encrypted by CryptoDefense

If you were infected by CryptoDefense on April 1st 2014 or before, then there is a chance you can recover the decryption key that can be used to decrypt your files. This is because the malware developer had a flaw in the CryptoDefense program that left behind the public decryption key. Fabian Wosar of Emsisoft discovered this flaw and had created a decrypter that could potentially retrieve the key and decrypt your files. Fabian, and others, were then helping victims privately on how to use this tool so that the malware developer would not know how to fix the flaw in their program. Unfortunately, Symantec decided to blog about this flaw, instead of keeping it quiet, which led the malware developer to update CryptoDefense so it no longer leaves behind the key. In my opinion, this was irresponsible as Symantec chose publicity over helping the victims.

With this said, if you were infected with CryptoDefense before April 1st 2014, you should read the following section in order to attempt to retrieve your key and decrypt your files:

How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor

If the Emsisoft's tool is unable to retrieve your decryption key, then your only other method is to try and restore your from a shadow copy. As CryptoDefense attempts to clear your shadow copies when it is installed this may not work either. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

How to restore files encrypted by CryptoDefense using Shadow Volume Copies

Unfortunately, if none of the above methods work, your only alternative will be to restore from an available backup.

 

How to restore files encrypted by CryptoDefense using the Emsisoft Decryptor

If you were infected before April 1st, 2014 then you may have been infected with a variant that mistakenly left the private decryption key behind on the computer. To begin please download decrypt_cryptodefense.zip from the following URL and save it to your desktop.

http://tmp.emsisoft.com/fw/decrypt_cryptodefense.zip

Once the file has been downloaded, right-click on the file and select Extract All ... . An extraction wizard will open that will guide you through the encryption process. If you left all of the check marks checked during the extraction wizard, the extracted folder will automatically open.

Inside the folder you will see two files. One file is a tool called CryptoOffence (CryptoOffense.exe) that can be used to extract the decryption key to a file called secret.key. You only need to use this file if you wish to decrypt encrypted files using a different computer. For more information on how to use this tool, please see the How to export your key and decrypt from another computer section below.

The directory also contains a tool called decrypt_cryptodefense.exe. This program is a CryptoDefense decrypter that we will be using to automatically extract the encryption key from your computer and decrypt your files. If you are logged into the infected machine as the infected user, please double-click on the decrypt_cryptodefense.exe file to launch the Emsisoft CryptoDefense Decrypter tool. When you run this file, if it is detected by your anti-virus software, please be rest-assured that the file is harmless. You can either white list the file in your anti-virus software or disable your anti-virus system for the time of decryption. For further instructions on how to do that, please refer to the manual of your anti-virus software.

The Emsisoft CryptoDefense Decrypter will now be launched and you will be shown a screen similar to the one below.

 

Emsisoft Decrypter

 

This program will recursively scan all folders that are added for encrypted files. When you are ready to start the decryption process simply click on the Decrypt button.

Emsisoft will now attempt to extract the decryption key from the logged in account. If a key is detected, you will see the following message in the log:

Loaded private key from current user's key storage!

If a key is detected it will automatically begin to decrypt the encrypted files on your computer. This process can take quite a while, so please be patient while it processes your files. While the program decrypts your files it may appear to hang on a particular file and the program will appear to not respond. This is normal and when it has finished decrypting the file it will start responding again.

When you run decrypt_cryptodefense.exe, it if is unable to extract the key it will display the alert shown below and unfortunately not be able to decrypt your files.

No Key Found Alert


If the program was able to recover and load the key, but you are receiving errors that state File could not be decrypter properly. Skipping ... then your key may have been overwritten. Examples of this happening can be seen in the image below.

 

Emsisoft Decrypter

 

In this situation we have one last chance of possibly recovering your decryption key. The decryption key is stored in the %appdata%\Microsoft\Crypto\RSA folder. If your Shadow Volume Copies are intact you can restore that folder to a previous version in the hopes that you will be restoring the key that encrypted your files. You can then run the decrypt_cryptodefense.exe program again and see if it can load the correct key and decrypt your files.

Before you restore your RSA folder it is strongly suggested that you backup your %appdata%\Microsoft\Crypto\RSA folder. Also if you are using EFS, then be careful with restoring your RSA folder. At a bare minimum you must backup your certificates using the instructions in this Microsoft document.

To learn how to restore the RSA folder from the Shadow Volume Copies you can read this section:

How to restore files encrypted by CryptoDefense using Shadow Volume Copies

If you run into any problems or do not feel completely comfortable following these instructions on your own, please feel free to ask for more guidance in the CryptoDefense Support Topic.

How to export your key and decrypt from another computer

If you wish to decrypt encrypted files from another computer you will need to perform some additional steps. As decrypt_cryptodefense.exe will try to automatically retrieve the key from the infected computer, this will obviously not work if you run the program from a different computer. Instead you will first need to export the decryption key on the infected computer as a file called secret.key and then copy it to the computer where wish to perform the decryption.

To do this, copy the CryptoOffense.exe file from the decrypt_cryptodefense.zip file to the infected computer. When logged in as the infected user, run the CryptoOffense.exe program. If everything works, you will see output like this:

CryptoOffense v1.0 - A CryptoDefense private key dumper - Use at your own risk!
Written by Fabian Wosar - Emsisoft GmbH - [url=http://www.emsisoft.com]http://www.emsisoft.com[/url]

Found a key matching CryptoDefense characteristics! (2048, Not exportable)
Force exporting key 0x00169C18 to file secret.key ...
Patching CryptoAPI ... Success!
Writing 1176 bytes to file secret.key ... Success!

Press any key to close the application ...

You will now find a new file named "secret.key" in the same directory as the CryptoOffense.exe program you just ran. You can then copy that secret.key file to your decryption computer and place it in the same folder as the decrypt_cryptodefense.exe tool. Now when you run decrypt_cryptodefense.exe on the decryption computer it will automatically load the secret.key and allow you to decrypt the files.

 

How to restore files encrypted by CryptoDefense using Shadow Volume Copies

If you had System Restore enabled on the computer, Windows creates shadow copy snapshots that contain copies of your files from that point of time when the system restore snapshot was created. These snapshots may allow us to restore a previous version of our files from before they had been encrypted. This method is not fool proof, though, as even though these files may not be encrypted they also may not be the latest version of the file. Also, CryptoDefense tries to clear these shadow copies, so they may not contains your documents after you become infected. Please note that Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, & Windows 8.

Note: Newer variants of CryptoDefense will attempt to delete all shadow copies when you first start any executable on your computer after becoming infected. Thankfully, the infection is not always able to remove the shadow copies, so you should continue to try restoring your files using this method.

In this section we provide two methods that you can use to restore files and folders from the Shadow Volume Copy. The first method is to use native Windows features and the second method is to use a program called Shadow Explorer. It does not hurt to try both and see which methods work better for you.

Using native Windows Previous Versions:

To restore individual files you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up as shown in the image below.

 

Previous Versions Tab for a file

 

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to. If you wish to restore the selected file and replace the existing one, click on the Restore button. If you wish to view the contents of the actual file, you can click on the Open button to see the contents of the file before you restore it.

This same method can be used to restore an entire folder. Simply right-click on the folder and select Properties and then the Previous Versions tabs. You will then be presented with a similar screen as above where you can either Copy the selected backup of the folder to a new location or Restore it over the existing folder.


Using Shadow Explorer:

You can also use a program called Shadow Explorer to restore entire folders at once. When downloading the program, you can either use the full install download or the portable version as both perform the same functionality.

When you start the program you will be shown a screen listing all the drives and the dates that a shadow copy was created. Select the drive (blue arrow) and date (red arrow) that you wish to restore from. This is shown in the image below.

Restoring files with Shadow Explorer

To restore a whole folder, right-click on a folder name and select Export. You will then be prompted as to where you would like to restore the contents of the folder to.

 

Information about the Malware Developer's CryptoDefense Decryptor Site

When you are infected with CryptoDefense, the infection will create How_Decrypt.txt and How_Decrypt.html files that contain information on how to pay the ransom. Below is the contents of the How_Decrypt.txt and How_Decrypt.html messages:

How_Decrypt.txt:

All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet;
the server will destroy the key after a month. After that, nobody and never will be able to restore files.

In order to decrypt the files, open your personal page on the site https://rj2bocejarqnpuhm.onion.to/XXX and follow the instructions.

If https://rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below:

1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/XXX
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

IMPORTANT INFORMATION:

Your Personal PAGE: https://rj2bocejarqnpuhm.onion.to/XXX
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

How_Decrypt.html

How_Decrypt.Html file
Click on the image above to see full size and other associated images.

The instructions tell the victim that in order to pay the ransom they need to go to a special Decrypt Service site where they can enter their personal code and access they payment page. This site can be accessed via the Tor address rj2bocejarqnpuhm.onion or through https://rj2bocejarqnpuhm.onion.to using a normal browser. When a user visits the Decrypt Service site they will be presented with a page that contains information about how much they need to pay to purchase the decryption program. The site will also contains a Frequently Asked Questions page, a page that shows the screen shot of your active Windows screen from when you became infected, and a page where you can perform a test decryption on one file.

CryptoDefense Decrypt Service Site
Click on the image above to see full size and other associated images.

In order to pay the ransom, you will need to send the requested bitcoins to the listed bitcoin address. Once you send the bitcoins you then need to submit the transaction ID on their site and click on the Pay button. Once the transaction has been verified you will be given a link where you can download the decryptor, which is shown below.

 

CryptoDefense Decryptor

 

When you run the decryptor it will read the registry to find files that need to be decrypted. If the registry entries do not exist it will prompt you to specify a folder to scan for encrypted files.

 

Known Bitcoin Payment addresses for CryptoDefense

CryptoDefense allows you to pay the ransom by sending bitcoins to an address shown in the CryptoDefense Decrypt Service page. Bitcoins are currently worth over $600 USD on some bitcoins exchanges. The Bitcoin addresses used by CryptoDefense to receive payments are:

https://blockchain.info/address/19DyWHtgLgDKgEeoKjfpCJJ9WU8SQ3gr27

You can use the links above to see transactions into the wallet and out of the wallet. You can typically tell which payments to this address are from ransom victims as there will be many payments with similar amounts.

 

Threat Classification:

 

Advanced information:

View CryptoDefense files.
View CryptoDefense Registry Information.

 

Guide Updates:

03/19/14 - Initial guide creation
03/19/14 - Added additional info.
03/19/14 - Updated info about Shadow Volume Copies being deleted.
04/01/14 - Added info about decryption method.
04/04/14 - Added details about possibles methods to decrypt files.

 


 

Associated CryptoDefense Files:

%UserProfile%\Desktop\HOW_DECRYPT.HTML
%UserProfile%\Desktop\HOW_DECRYPT.TXT
%UserProfile%\Desktop\HOW_DECRYPT.URL

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.

 

Associated CryptoDefense Windows Registry Information:

HKEY_CURRENT_USER\Software\<unique id>
HKEY_CURRENT_USER\Software\<unique id>\PROTECTED
HKEY_CURRENT_USER\Software\<unique id> "finish" = "1"

 


 

This is a self-help guide. Use at your own risk.

BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.

If you have any questions about this self-help guide then please post those questions in our Am I infected? What do I do? and someone will help you.


Advertise   |   About Us   |   User Agreement   |   Privacy Policy   |   Contact Us   |   Sitemap   |   Chat   |   Tutorials   |   Uninstall List
Tech Support Forums   |   The Computer Glossary   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides   |   Downloads


© 2003-2014 All Rights Reserved Bleeping Computer LLC.
Site Changelog