A new piece of ransomware is targeting gullible users, but its developers have made a critical mistake that should allow users to decrypt the affected files without paying the demanded ransom.
That ransomware is extremely effective and nets considerable money to the criminals that wield it is not news, and it consequently shouldn’t come as a surprise that they are trying to copy the success of Cryptolocker.
CryptoDefense – as the new “ransomcrypt” malware has been dubbed – was first spotted in late February 2014, and currently predominantly targets mostly usersin the US, UK, Canada and Australia.
“Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone (according to Bitcoin value at time of writing),” Symantec researchers shared.
The malware arrives on the victims’ computer via spam email. As they open the malicious attachment, the malware is installed and contacts a C&C server. This triggers the encryption and the generation of a private decryption 2,048-bit RSA key that is then sent to the C&C.
The malware then shows the ransom message:
As you can see, it threatens to destroy the key after a month, and instructs the victims to access their personal page via the Tor network – it also explains how to do this.
Once the victims land on this anonymous payment web page, they are urged to pay 500 US dollars or Euros to get the decryption key, and are threatened with a 100 percent increase of the ransom if they don’t pay up by a specific date.
“The cybercriminals offer proof through a ‘My screen’ button, included on the payment page, that they have compromised the user’s system by showing the uploaded screenshot of the compromised desktop. They also offer further proof that decryption is feasible by allowing the victim to decrypt one file through the ‘Test decrypt’ button. They then proceed to educate their victim on how to get hold of Bitcoins to pay the ransom,” the researchers point out.
Still, with all these precautions, the criminals have made one crucial mistake: a copy of the private decryption key that is created on the infected computer – via Microsoft’s own cryptographic infrastructure and Windows APIs – remains on it even after it is sent to the C&C server. Users can find it in the Application Data > Application Data > Microsoft > Crypto > RSA folder.
This is good news for those who haven’t already paid the ransom, but this situation will not likely remain the same for long, as the developers of the malware are expected to soon fix the glitch.
Still, this is the perfect moment for deciding to make a regular backup of all your important data, so that even if you get hit with this or any other type of crypto-ransomware, you can always wipe your computer and restore the files.