How to recover data encrypted by CryptoDefense ransomware

happygeek 2 Tallied Votes 954 Views Share

Last year, CryptoLocker ransomware hit the headlines after infecting hundreds of thousands of computers and encrypting the data, and backups of that data to any connected device, with the promise of decryption on payment of a fee. This kind of IT extortion is profitable for the bad guys as it targets the people who are least likely to be in a position to do anything but pay; the people who are most likely to get infected are the same folk who are least likely to have an offsite backup or know how to get help with such a problem. This year we have CryptoDefense doing much the same thing, and already apparently infecting and encrypting many tens of thousands of victims. It targets the same victim profile, although in truth as with all such malware a scattergun approach to infection/distribution is employed; the targeting is in terms of who is most likely to pay up once infected. CryptoDefense hits text files, PDFs and Office files, images and video which are encrypted using a RSA-2049 key making it all but impossible recover data without that key. Like CryptoLocker before it, it also looks to disable backup and this time it appears to wipe out any shadow copies of data before encryption and putting up the ransom notice for a $500 unlocking fee.

So what can you do? Well you can avoid being infected in the first place, that's the most valuable piece of advice. Ensure you have up to date security protection on your device, and don't get caught out by phishing attacks which use the 'open this' or 'click here' method of attack. CryptoDefense originally infected victims by getting them to install a bogus Flash update or video codec when they tried to view some spurious video footage or other, but is understood to have morphed to the other phishing methodologies by now.

So what if you have been infected? Well, with sophisticated ransomware you generally have only two options: pay the ransom or reformat and backup. The former is a contentious issue, with some security experts recommending paying up and trusting the criminals not to abuse your credit card data and to provide you with a working key. I am not in that camp, and wonder why I would trust someone who has already blackmailed me into paying a fee like this and who obviously doesn't care if I get my data back or not? The second option isn't always much better either as it relies upon many variables, including whether your backup data has been infected/encrypted, whether your PC is accessible enough to perform a full reformat and start again, and so on. In the case of CryptoDefense there is a third way, for a lucky (or should I say unlucky) few whose computers were infected before April 1st, 2014.

Whereas CryptoLocker generated the RSA key pair on the remote command and control server, CryptoDefense initially used the Windows CryptoAPI instead. What the criminals didn't bargain for was that this would create a local copy of the RSA keys, meaning that the key to unlock the encrypted data didn't need a ransom paying at all as it was sitting right there on the user's system itself. Security researchers quickly developed tools that would look for and retrieve this key, and unlock the CryptoDefense encrypted data. Job was a good one, with the folk at in the Emsisoft Malware Research Team who developed this tool seeking out victims and helping them in private so as not to tip the hand of the malware creators to the mistake. Other researchers and vendors were not quite so careful, and after Symantec went public with the news that it had found the keys on victim's computers the CryptoDefense developer started distributing an amended version of the malware which removed the keys. So, if you were infected before April 1st then the Emsisoft decryptor might still be able to help you.

Download the zip file to your desktop and extract all. The folder it installs has two files, CryptoOffense.exe that is sued to extract the encryption key to a secret.key file which is used if you want to decrypt the encrypted files on a different computer. Otherwise, the other file called decrypt_cryptodefense.exe will be the one you want. Double-clicking this, when logged into the infected machine, starts the decryptor tool running. It searches for folders with encrypted files and simple hitting the Decrypt button will set it off looking for the decryption key. If found, the decryption process will start automatically. If the 'No Key Found' alert is displayed instead, then I'm afraid you are out of luck and your data is probably lost.

gerbil 216 Industrious Poster

Well, hats off to Symantec for proving that average is not beyond reach.

Fadabi 0 Newbie Poster

i have infected after 1st april what can i do.

jnneson 13 Light Poster

Thank you so much for this post...

john.lock 0 Newbie Poster

My files were encrypted at April 16th by CryptoDefense.

In order to decrypt the files - I paid the ransom 1.09 BTC using localbitcoins.com to 1gh3FceXSM... (April 18th - within the period of 4 days).

I entered the Transaction ID (TXID) bd6019ba869446c9ecff... to https://rj2bocejarqnpuhm.browsetor.com/2j...
The transaction is confirmed for 34 times but page shows the payment as Status Invalid. http://pbrd.co/1gODgc3

I tried to enter the same TXID to the browsetor.com page to refresh the status of the payment, but page shows message "This Transaction ID already exists". http://pbrd.co/1gOD0tK

Now the page is unavailable (Tor2web Error: Generic Sock Error) even using TorBrowser (Unable to connect).

Is there anyone else with similar experience?
Is someone succeeded the payment and decryption process after April 1st?
Thank You

gerbil 216 Industrious Poster

I see your pain there. I've not read of anyone successfully paying for a working key.
This only serves to reinforce my monthly (or so) practice of making images of all partitions, and then putting the image drive offline. I do daily backups, too, but they are online, and so fraught.
If they've done over the US army, I wonder how long it will be before a cloud gets rained upon...?

Subraa_1 0 Newbie Poster

CryptoDefense and ransomware are of same family..

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

CryptoDefense is a type of ransomware. Yes. As the editorial makes quite clear. So your point is?

Subraa_1 0 Newbie Poster

Wanna summarize the point discussed in the article and the same precaution should be taken for CryptoDefense as in ransomware.

Having done few research on ransomware and few on CryptoDefense [ after reading this article] - I feel CryptoDefense has less negative effect than ransomware [ my point of view - correct me if I'm wrong]

Thank you for considering my comment a reasonable one!

Subraa_1 0 Newbie Poster

An additional point being - Ransomware related attacks originates from Teamviewers and Emails.

Being precautious in these 2 source of attack - reduces the chance of of being infected.

Hope this helps!

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

the same precaution should be taken for CryptoDefense as in ransomware.

Uh-huh. Because CryptoDefense is ransomware. I'm still not sure what point you are trying to make here...

happygeek 2,411 Most Valuable Poster Team Colleague Featured Poster

Ransomware related attacks originates from Teamviewers and Emails

WannaCry didn't...

Jessica_16 0 Junior Poster in Training

Would be possible to loss data when you decrypt files that are affected by ransomware?

rproffitt 2,565 "Nothing to see here." Moderator

Would be possible to loss data when you decrypt files that are affected by ransomware?

Absolutely. Yes. Yup. No question. Take it to the bank.

In other words, this is why you read folk talk and write so much about backups. Let me quote my friends here:

We only lose what we don't backup.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.