CryptoDefense ransomware attacks 100 countries but has 'fatal flaw'

The US and UK are the biggest targets of CryptoDefense, a major new ransomware campaign that has stolen over £20,000 in its first month - but which has one major design flaw.

CryptoDefense ransomware attacks 100 countries but has 'fatal flaw'
CryptoDefense ransomware attacks 100 countries but has 'fatal flaw'
CryptoDefense was first spotted on February 28 by researchers at Symantec, and by April 1 it had infected more than 20,000 computers in over 100 countries and succeeded in collecting more than $34,000 (approximately £20,440) in ransom payments. 

Around three-quarters of the computers infected were in the US, with the UK being the next biggest target with 1,556 victims, closely followed by Canada, Australia and Japan.

The malware demands $500 (£300) or €500 (£415) in bitcoins, to be paid within four days or the amount doubles. It is delivered by getting users to click on email attachments, which are sent from multiple locations and IP addresses. Because of this, and because payments are made through the anonymous Tor network, Symantec have not been able to identify the criminals behind it.

In a March 31 blog post, the company explains: “CryptoDefense is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors. These include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA-2048 encryption, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time.” 

The campaign is so similar to the infamous CryptoLocker Trojan that Symantec initially thought they were one and the same – but the CryptoDefense criminals have made the mistake of leaving a copy of the ‘private key' needed to unlock it on the victim's computer, so that security professionals should be able to rescue any user within their organisation who is infected. 

With Cryptolocker, the private key was only ever found on servers controlled by the attacker, leaving the attackers in full control. 

Speaking to SCMagazineUK.com, Symantec threat analyst Alan Neville confirmed: “For network administrators, if they are hit with this threat, then identifying the private key on the machine and utilising that to decrypt the data will retrieve the data - and that is something they should be doing.” 

He said RSA-2048 private key decryption tools are available on the internet, adding: “Symantec are looking at the possibility of releasing a fix tool - it's probably something we'll be looking at in the future once we get a better kind of overview of the infection.”

Security expert Rorie Hood, a consultant with global information security firm MWR InfoSecurity, confirmed: “The Achilles heel of CryptoDefense is that it leaves the private key on the victim's machine. The result of this is that the victim can potentially retrieve their files without paying the ransom.”

Hood told SCMagazineUK.com: “While the average user may not be aware that they could retrieve the files themselves, vigilant security professionals will be able to decrypt the files that CryptoDefense has targeted.” 

He added: “Security professionals should take it as another opportunity to reinforce to users that they should take precautions when opening untrusted files.”

Hood said CryptoDefense has some way to go to match CryptoLocker, which by the end of 2013 had infected over 250,000 computers. The volume of infections might increase, he said, but with the opportunity for users to decrypt their own files, the percentage of infected users paying the ransom will likely drop.

Symantec's Neville added: “There is no kind of consistency in terms of targets, it seems to be spread out across different industries. The email itself is quite generic.”

CryptoDefense's authors go so far as to ‘help' users by providing instructions on how to download a Tor-ready browser and enter the unique Tor payment web page address. They also offer proof of infection through a ‘My screen' button on the payment page that shows a screenshot of the user's compromised desktop. 

Initially, they offered proof that decryption would work by allowing the victim to decrypt one file through a ‘Test decrypt' button – but Neville said this has been withdrawn since Symantec wrote its initial blog post.

He said: “They generally provide a lot of information in utilising this kind of decryption service because they want you to pay, so they want to make it very clear and explicit.”