Ramblings of an old Doc

 

Sorry to bring bad news, but it has gotten worse.

So how is it worse? CryptoDefender wipes out all Shadow Volume Copies (also called VSS or Volume Snapshot Service) and ransom demands are added to every file containing encrypted files. So what does VSS do? It makes Snapshots. Snapshots have two primary purposes: they allow the creation of consistent backups of a volume, ensuring that the contents cannot change while the backup is being made; and they avoid problems with file locking which is a mechanism that restricts access to a computer file by allowing only one user or process access at any specific time. By creating a read-only copy of the volume, backup programs are able to access every file without interfering with other programs writing to those same files.

Therefore, when CryptoDefender infects your system, the only backup you have is the last external one you made before the infection. This is why frequent backups are a good thing.

The original CryptoLocker targets files are text, picture, video, PDF and MS Office files. CryptoDefense like CryptoLocker, encrypts these with a strong RSA-2048 key which is hard to undo.

However, these are two distinct viruses and CryptoDefender is not a derivative of CryptoLocker.

So how does the infection happen? Through emails with a link or an attachment. They might (and do) look genuine, even adding “attachment scanned by” with recognized antiviral software. Whether the attachment is labeled with a .jpg or .pdf extension, (as well as special video players needed to view free online videos or Flash updates), it is in fact an exe file which installs on the computer, encrypts the files and sends the key to the command and control computer and also connects to four remote domains sending basic information about the computer and a screen shot of the computer which appears on the payment screen (just to be more convincing, I suppose).

The victim then gets this notice:

Note, to deal with them and make the payment of the ransom, the victim has to download the Tor browser to make the criminals safer from surveillance.

For the first four days the price for the decryption key is $500 in Bitcoin. After that, the price rises to $1,000. If no payment is forthcoming, the key is destroyed…

So far the CryptoDefender has passed its designers tests in Great Britain, Canada and Australia, the USA is the main target, Europe, Russia, the Middle East, China, and Africa to a lesser degree.

 

The designers of CryptoLocker and CryptoDefender are making tens of thousands of dollars a month with these viruses.

So, it’s better to mouse over email links, and it’s better to send an email query to the sender (and look at the actual email address in the reply), before opening any picture, etc.

Also, it’s really good to make a bootable disk image at the end of work everyday. If infected, wipe the disk and rebuild it using your full disk image.

There’s no solution yet for CryptoDefender as far as I can tell. None of the software cleaners for CryptoLocker will work with CryptoDefender. The most important thing in this situation is to ignore all unfamiliar emails that typically report about nonexisting purchases and deliveries, payments and similar things could make one click on the malicious link.

UPDATE:

There's a very interesting angle to this follow up. It turns out that Emsisoft got wind of this virus early on and did some research on it. They actually found a way to decrypt the encrypted files and quietly put out a help offer for folks on various Forums. This enraged the author of the virus (or the criminals who bought it and distributed it) and Emisoft was subjected to an attack which they sidestepped through filtering. 

Then, a rival antiviral firm revealed a bit too much of the method emsisoft used to decrypt the files encrypted by the virus and that resulted in the criminal fixing the hole in his ransomware.

You can read about the episode here: 

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 

 

Sources:

http://www.2-spyware.com/remove-cryptodefense.html

http://www.2-spyware.com/news/post2463.html

http://techtalk.pcpitstop.com/2014/04/03/worse-cryptolocker/?knowbefor-cryptodefense=

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 


Comments (Page 2)
2 Pages1 2 
on Apr 08, 2014

Quoting Jafo, reply 10

Quoting heft, reply 9pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...
What program would I use?

Sorry I asked this question. I was being lazy.

So I researched a little bit. It turns out I can use a free program I already have: imgburn. And there are lots of YouTube vids that give instructions on how to do it. 

on Apr 09, 2014

Terrorists, schmerrorists.

It's good for one thing - users will learn to do incremental backups of their critical files on a physically separate device. It's easy with today's NAS home servers, start today, so you don't have to learn the hard way. 

on Apr 10, 2014



Quoting kku, reply 5
The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

May I interest you in my latest range of tinfoil headwear?....

China isn't going to jeopardize its international trade with anything so stupid...

...and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair....

You must be thinking about some other country with incompetent hair stylists. The DPRK has developed a working nuclear capability as well as an intermediate missle delivery system. The DPRK is quite capable of developing computer and biological viruses.

on Apr 10, 2014

The DPRK

Nope...that'll be the DSRNK ...aka Dip Shit Run North Korea. [by, not of].

Their 'capability' is measured by whatever excuses the West [aka US] needs to justify blasting them back into the stone age.

Beyond that creature that runs the country...the rest of the population is hanging out to embrace Maccas and Vegas dross just the same as the the rest of the great over-fed.

The 'world police' are always looking for excuses to justify their obscene military budgets...and test out the new kit they got..... NK will just be the next...since Afghanistan is soo yesterday...

on Apr 10, 2014

It is, kku. It's also quite difficult (if not impossible) to identify the source (the actual attacker) beyond the server source which won't be in the country initiating the attack.

For the ransomware though, to me it's more likely that it's criminal activity rather than spying (not that NK/China aren't engaged in criminal operations).

As for Jafo's last reply, can't say I wouldn't mind seeing their disgusting leaders/generals and politicians disappeared. The lives of the people of that country are pitiful.

 

on Apr 10, 2014

I agree that crypto yada smacks of a criminal source rather than a state source.  Its too widely and wildly spread to be an instrument of a specific state.  Seth, thanks for info - I need to set up a back up system...

on Apr 10, 2014

ElanaAhova
Seth, thanks for info - I need to set up a back up system...

Sooner...

There IS NO later ...

on Jun 18, 2014

Followed your link (I really have to visit JU more often).  Ouch!  Looks like my client got very lucky (although I was surprised it worked).  As I indicated, the network shares were fine due to a back up, but very few back up their personal computers.  And Churches are not known for their largess in salaries (unless your name is Jim Bakker ).

on Dec 18, 2014



Quoting kku,

The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!



May I interest you in my latest range of tinfoil headwear?....

China isn't going to jeopardize its international trade with anything so stupid...

...and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair....

 

The recent Sony hack that is now being attributed to North Korea would seem to prove that I was right!

on Dec 18, 2014

kkunderwood

The recent Sony hack that is now being attributed to North Korea would seem to prove that I was right!

No...it would only indicate that the NKs sponsor state crime and terrorism, not necessarily CryptoLocker nor CryptoDefender.

on Dec 18, 2014

unfortunately, since all first-world nations have/do engage in state-sponsored cyber 'warfare/terrorism' it was really only a matter of time until others joined in. 

Welcome to the new age of warfare. Perhaps the next call of duty game will be called "Call of Duty: Cyberwarfare" ....lol

on Dec 18, 2014

the_Monk

Perhaps the next call of duty game will be called "Call of Duty: Cyberwarfare" ....lol

"Call Of Duty: Let's Nuke NK"

Subtitled "Oops, done that."

 

Probably just US Foreign Policy ...

2 Pages1 2