CryptoDefense

CryptoDefense Description

CryptoDefense, otherwise known as HOW_DECRYPT.txt Ransomware, is a PC infection that attacks all versions of Windows incorporating Windows XP, Windows Vista, Windows 7, and Windows 8. When a PC is contaminated with CryptoDefense Ransomware, the malware infection execute a variety of harmful actions on the computer system. CryptoDefense Ransomware decrypts the files on the infected computer and urges the victim to pay a supposed fine to encrypt them. CryptoDefense Ransomware also deletes all Shadow Volume Copies when it's launched, which means that the only way to restore the files is via backup. CryptoDefense Ransomware connects to the Command and Control (C&C) server and uploads a private key. CryptoDefense Ransomware deletes all Shadow Volume Copies so that the computer user cannot restore the files form the Shadow Volumes. This means that the computer user will only be able to restore the files by restoring from backup or paying the supposed fine. CryptoDefense Ransomware scans the PC and encrypts data files such as image files, text files, office documents, and video files. CryptoDefense Ransomware creates a screenshot of the computer user's active Windows screen and uploads it to the Command & Control server. This screenshot will be embedded into the PC user's payment page on his Decrypt Service website.

This payment website is located on the Tor network, and the PC user can only make the payment in Bitcoins. In order to buy the decryptor for the files, the computer user needs to pay a supposed fine of 500 USD in Bitcoins. If the PC user does not pay the fine within 4 days, it will double to 1,000 USD. CryptoDefense Ransomware also declares that if the PC user does not buy a decryptor within one month, it will delete his private key and the computer user won't any longer be able to decrypt the files. The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file, will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the compromised PC. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same PC will include the same unique identifier. This identifier is possibly used by the Decrypt Service website to recognize he private key that can be used to decrypt the files when executing a test decryption.

Infected with CryptoDefense? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect CryptoDefense

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

CryptoDefense creates the following file(s):
# File Name
1 %UserProfile%\Desktop\HOW_DECRYPT.URL
2 %UserProfile%\Desktop\HOW_DECRYPT.TXT
3 %UserProfile%\Desktop\HOW_DECRYPT.HTML

Registry Details

The following CLSID's were found:
HKEY..\..\{CLSID Path}
HKEY_CURRENT_USER\Software\[unique id]
HKEY_CURRENT_USER\Software\[unique id] "finish" = "1"
HKEY_CURRENT_USER\Software\[unique id]\PROTECTED

More Details on CryptoDefense

The following messages associated with CryptoDefense were found:
All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site https://rj2bocejarqnpuhm.onion.to/XXX and follow the instructions.
If https://rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below:
IMPORTANT INFORMATION:
Your Personal PAGE: https://rj2bocejarqnpuhm.onion.to/XXX
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

Site Disclaimer

3 Comments

  • Aldo says:

    Hi,

    I found the unique identifier on my computer. How do I use it to decrypt my files?

    Thanks

  • Robert says:

    Restorable from VSS in "restore previous version of file" as a from "copy" option when you select to "keep both files" so the file is renamed.

  • Chip Cooper says:

    Hi – I’m trying to recover pictures for a friend/client that were encrypted with CryptoDefense. I’ve removed the virus and think I’ve made a copy of the private key but I’m not sure how to use it to decrypt the files. Thanks for any help you can give. Chip Cooper

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 13 + 5 ?