Ramblings of an old Doc

 

Sorry to bring bad news, but it has gotten worse.

So how is it worse? CryptoDefender wipes out all Shadow Volume Copies (also called VSS or Volume Snapshot Service) and ransom demands are added to every file containing encrypted files. So what does VSS do? It makes Snapshots. Snapshots have two primary purposes: they allow the creation of consistent backups of a volume, ensuring that the contents cannot change while the backup is being made; and they avoid problems with file locking which is a mechanism that restricts access to a computer file by allowing only one user or process access at any specific time. By creating a read-only copy of the volume, backup programs are able to access every file without interfering with other programs writing to those same files.

Therefore, when CryptoDefender infects your system, the only backup you have is the last external one you made before the infection. This is why frequent backups are a good thing.

The original CryptoLocker targets files are text, picture, video, PDF and MS Office files. CryptoDefense like CryptoLocker, encrypts these with a strong RSA-2048 key which is hard to undo.

However, these are two distinct viruses and CryptoDefender is not a derivative of CryptoLocker.

So how does the infection happen? Through emails with a link or an attachment. They might (and do) look genuine, even adding “attachment scanned by” with recognized antiviral software. Whether the attachment is labeled with a .jpg or .pdf extension, (as well as special video players needed to view free online videos or Flash updates), it is in fact an exe file which installs on the computer, encrypts the files and sends the key to the command and control computer and also connects to four remote domains sending basic information about the computer and a screen shot of the computer which appears on the payment screen (just to be more convincing, I suppose).

The victim then gets this notice:

Note, to deal with them and make the payment of the ransom, the victim has to download the Tor browser to make the criminals safer from surveillance.

For the first four days the price for the decryption key is $500 in Bitcoin. After that, the price rises to $1,000. If no payment is forthcoming, the key is destroyed…

So far the CryptoDefender has passed its designers tests in Great Britain, Canada and Australia, the USA is the main target, Europe, Russia, the Middle East, China, and Africa to a lesser degree.

 

The designers of CryptoLocker and CryptoDefender are making tens of thousands of dollars a month with these viruses.

So, it’s better to mouse over email links, and it’s better to send an email query to the sender (and look at the actual email address in the reply), before opening any picture, etc.

Also, it’s really good to make a bootable disk image at the end of work everyday. If infected, wipe the disk and rebuild it using your full disk image.

There’s no solution yet for CryptoDefender as far as I can tell. None of the software cleaners for CryptoLocker will work with CryptoDefender. The most important thing in this situation is to ignore all unfamiliar emails that typically report about nonexisting purchases and deliveries, payments and similar things could make one click on the malicious link.

UPDATE:

There's a very interesting angle to this follow up. It turns out that Emsisoft got wind of this virus early on and did some research on it. They actually found a way to decrypt the encrypted files and quietly put out a help offer for folks on various Forums. This enraged the author of the virus (or the criminals who bought it and distributed it) and Emisoft was subjected to an attack which they sidestepped through filtering. 

Then, a rival antiviral firm revealed a bit too much of the method emsisoft used to decrypt the files encrypted by the virus and that resulted in the criminal fixing the hole in his ransomware.

You can read about the episode here: 

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 

 

Sources:

http://www.2-spyware.com/remove-cryptodefense.html

http://www.2-spyware.com/news/post2463.html

http://techtalk.pcpitstop.com/2014/04/03/worse-cryptolocker/?knowbefor-cryptodefense=

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 


Comments (Page 1)
on Apr 06, 2014

These people should be treated as terrorists. What a thing to do to people.

 

Thanks for the info, although, on my dial up. I may be safer than you all, I rarely open mail and download at home, that is what my laptop is for, and it is disposable as far as what is on it. Just daily stuff, no long term.

How  this can not be tracked is beyond me, seems the criminals spend more time learning than those protecting us. Or, the criminal mind is somewhat craftier. So sad.

 

 

Forgot to say Thanks, Thanks DrJBL.

on Apr 06, 2014

Thanks for the info. Much appreciated

on Apr 06, 2014

I open only emails from family and friends, and the newsletters I subscribe to, other than that, all unsolicited mail goes to my junk folder and is instantly deleted.

However, this is useful information that will prove beneficial for warning ohers, or if they become infected.

Thanks, Doc.

on Apr 06, 2014

Welcome, fellas.

on Apr 06, 2014

The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

on Apr 06, 2014

"Hello, IRS?  NSA here.  kku."

on Apr 06, 2014

elete...delete...delete.

on Apr 06, 2014


The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

May I interest you in my latest range of tinfoil headwear?....

China isn't going to jeopardize its international trade with anything so stupid...

...and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair....

on Apr 06, 2014

pardon my ignorance, but how does one make a bootable disk image?

on Apr 06, 2014

pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...

on Apr 06, 2014



Quoting heft, reply 9pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...

What program would I use?

 

on Apr 06, 2014

kku, the CryptoDefender (and CryptoLocker) are designed to extort money. Period.

The NSA is interested in penetration and surveillance of computer systems, communications nets and everything that goes across them.

It has no interest in extorting monies.

on Apr 06, 2014

..and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair...

You shouldn't criticise the imbecilic jerk like that... you know how the twerp likes to execute people who criticise or tell the truth about him, being the blood thirsty wanker he is.

As for the haircut... they just stick a bowl on his head and lop of anything that sticks out.  However, that's not gonna work for much longer unless they get larger bowls - humongous bowls, even - cos his head's swelling by the day with all that power he inherited but was never qualified or equipped to take on.  Frankly, had I been his father, I wouldn't have left him in charge of a worm farm all the residents had emigrated from.

on Apr 07, 2014

Please note, the OP has been updated. That update and the link to the story are at the bottom of the OP.

on Apr 07, 2014

ROFL about the idiot who created cryptodefender. Pity someone had to spill the beans on it, but it was bound to happen.

Meta
Views
» 13620
Comments
» 27
Sponsored Links