Skip to main content

Your files got encrypted by a RANSOMWARE!

On March 14, 2014 I got infected by a ransomware, a malicious program that encrypts your files upon infection and demands a payment in order to recover your files. This particular malware called CryptoDefense creates the following files after it has encrypted all your videos, music and documents: "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML" and "HOW_DECRYPT.URL" hence the name of this blog. 


Screenshot of files on Windows 7


The text in these files reads:


All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. 
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site https://*************.onion.to/**** and follow the instructions.
If https://***********.onion.to/**** is not opening, please follow the steps below: 
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
  
2. After installation, run the browser and enter the address: ***************.onion/***. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files. 
IMPORTANT INFORMATION:
Your Personal PAGE: https://************m.onion.to/***Your Personal PAGE(using TorBrowser): ***********.onion/***Your Personal CODE(if you open site directly): ****

Damn!

As you probably figured out, if you have seen this on your computer, you are screwed up unless you are willing to pay the ransom they ask for (around $300 dollars) in order to receive the program that restores your files their so-called Decryption Service.
But guess what, based on many victim's reports, not all of them were lucky enough to receive it after payment. So, it's up to you to pay for your beloved data or not (personally, I wouldn't. SCREW THEM!).

Can I somehow crack/get the decryption private key without paying?

No, the computational power required to crack/brute-force a 2048 bit key in less than thousands of years is currently unavailable (and unimaginable) at least for today's technological standards. Even for those super-computers used in biomolecular research and weather forecast. However, I've found vulnerabilities in the Malware itself, not in its RSA2048 algorithm, rather in its faulty implementation. 

Just to give you an idea: Julian Assange (Wikileaks founder and author) encrypted a 21% of that mega-archi-controversial Wikileaks file with a comparatively small AES 256 bits key as an insurance. Insurance? you may wonder. Yes! If something bad were about to happen to him, a handful of his friends who possess the key would publish it and then all those who downloaded the Wikileaks file would finally be able to read beyond the 79% of it. Crazy uh? And it's just 256 bits...

In short: Without the key, you cannot restore your files in this life. Period. 

What about you? What can you do?

First and foremost, update your antivirus and scan your entire system in the search of this malware. If you have no anti-virus or if nothing was found, then download this removal tool from Bit-Defender HERE. At least it will prevent future attacks by this malware.

Hold on a second: Good news!

Use the Cloud! (Dropbox for example)

Upload your pictures, videos and music to a safe storage on the net. These services are run and managed by professionals 24/7. 

Burn DVDs and Bluerays

Regularly back-up your files on these disks. Once they safely land on their surface, no virus in the world can damage them. 

Comments

  1. I was infected on my work computer, I assure you I was not on an adult site either. My dropbox files were also corrupted, not all of them but most of them, my laptop hard drive, my personal network drive, the share network drive has files that were corrupted. I am frustrated because we (county wide tech support) can't figure out were it came from.

    ReplyDelete
  2. They seem to originate from Russia. Are you sure you have exactly what this post describes? If not, there may be other ways out.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wana Decryptor / WanaCrypt0r

Alright, guys. This is a tough one: However, there's no reason to claim it's impossible to decrypt victims data. These idiots always let something slip through their fingers. Their servers might be found and keys restored to their respective victims. Errors might be found in their code, their key encryption scheme may have some weakness, etc. Let's just let the experts find a way out. By the way, if you want to temporarily protect your PC from this malware, you may do this.

Update: CryptoDefense rebranded to CryptoWall

After the fortune they reaped with CryptoDefense, not only did the crooks buy more computers from a bot net. They also rebranded it to 'CryptoWall' and made considerable changes to its website: + Multilanguage Support + Slight color changes in their website. Now it looks nicer, I confess. + Support (You can message them in case you need help)  - Their English sucks, so I haven't noticed any improvement in this area. * Ransomware notes are now named as: DECRYPT_INSTRUCTION.txt DECRYPT_INSTRUCTION.html DECRYPT_INSTRUCTION.url What does it mean to 'buy computers'? Most computers that were hit by this nasty ransomware had been previosuly infected by a botnet. A botnet is a network of infected computers that can be spied and controlled by their masters (those who own the botnet network).  These computer programs are usually used to gather users' credentials to home-banking and to perform DDoS attacks on websites, etc. (Yes, you can pay these croo

Good News (part 2)

Hey guys! After some -lot of- research and reverse-engineering, I decided to create a video which explains how to recover the private keys via a sniffer. Mind you, in some countries (United States and the United Kingdom and some countries in the European Union), ISPs are requested by law to retain data for over a year or so. Therefore, the authorities are able to retrieve the information (metadata) you sent and received anytime, including the day you got infected. It isn't hard for them to do, but that of course implies a long judicial process. Instead of paying the crooks, try to get in touch with the police and point out the existence of this law. I am also working on a program to to brute-force the key based on  parameters found inside the victim's computer  which I won't disclose right now. It appears that although the 2048 bits is certainly strong, they used a weak seeding which is quite simple and a brute-force attack can be performed within an manageable