CryptoDefense

Threat Scorecard

Threat Level: 10 % (Normal)
Infected Computers: 34
First Seen: March 24, 2014
Last Seen: April 19, 2023
OS(es) Affected: Windows

CryptoDefense, otherwise known as HOW_DECRYPT.txt Ransomware, is a PC infection that attacks all versions of Windows incorporating Windows XP, Windows Vista, Windows 7, and Windows 8. When a PC is contaminated with CryptoDefense Ransomware, the malware infection execute a variety of harmful actions on the computer system. CryptoDefense Ransomware decrypts the files on the infected computer and urges the victim to pay a supposed fine to encrypt them. CryptoDefense Ransomware also deletes all Shadow Volume Copies when it's launched, which means that the only way to restore the files is via backup. CryptoDefense Ransomware connects to the Command and Control (C&C) server and uploads a private key. CryptoDefense Ransomware deletes all Shadow Volume Copies so that the computer user cannot restore the files form the Shadow Volumes. This means that the computer user will only be able to restore the files by restoring from backup or paying the supposed fine. CryptoDefense Ransomware scans the PC and encrypts data files such as image files, text files, office documents, and video files. CryptoDefense Ransomware creates a screenshot of the computer user's active Windows screen and uploads it to the Command & Control server. This screenshot will be embedded into the PC user's payment page on his Decrypt Service website.

This payment website is located on the Tor network, and the PC user can only make the payment in Bitcoins. In order to buy the decryptor for the files, the computer user needs to pay a supposed fine of 500 USD in Bitcoins. If the PC user does not pay the fine within 4 days, it will double to 1,000 USD. CryptoDefense Ransomware also declares that if the PC user does not buy a decryptor within one month, it will delete his private key and the computer user won't any longer be able to decrypt the files. The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file, will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the compromised PC. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same PC will include the same unique identifier. This identifier is possibly used by the Decrypt Service website to recognize he private key that can be used to decrypt the files when executing a test decryption.

File System Details

CryptoDefense may create the following file(s):
# File Name Detections
1. %UserProfile%\Desktop\HOW_DECRYPT.URL
2. %UserProfile%\Desktop\HOW_DECRYPT.TXT
3. %UserProfile%\Desktop\HOW_DECRYPT.HTML

Registry Details

CryptoDefense may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\[unique id] "finish" = "1"
HKEY_CURRENT_USER\Software\[unique id]
HKEY_CURRENT_USER\Software\[unique id]\PROTECTED

URLs

CryptoDefense may call the following URLs:

https://tabsearch.net/search/?q=

Messages

The following messages associated with CryptoDefense were found:

All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site https://rj2bocejarqnpuhm.onion.to/XXX and follow the instructions.
If https://rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below:
IMPORTANT INFORMATION:
Your Personal PAGE: https://rj2bocejarqnpuhm.onion.to/XXX
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

6 Comments

Hi - I'm trying to recover pictures for a friend/client that were encrypted with CryptoDefense. I've removed the virus and think I've made a copy of the private key but I'm not sure how to use it to decrypt the files. Thanks for any help you can give. Chip Cooper

Restorable from VSS in "restore previous version of file" as a from "copy" option when you select to "keep both files" so the file is renamed.

Hi,

I found the unique identifier on my computer. How do I use it to decrypt my files?

Thanks

Had a user bring me their laptop with the post 4/1/14 iteration, where the Private Key could not be located with your program. My users don't have admin rights, so your program required me to make the user an admin to run it (using UAC would have harvested the wrong HKCU, so I made the user an admin briefly). All this said, on the positive, since the user did not have admin rights when the RansomWare itself actually ran; it prevented the RansomWare from deleting VSS copies, and I was able to completely restore the users My Documents & My Pictures using Previous Versions successfully.

My USB drive is infected how do I decrypt my files from the USB?

Fiz todo o passo a passo mas os arquivos continuam criptografados! como eu recupero os dados? esta tudo uma bagunça com nome de arquivo como por exemplo "schvsitcyfadsf.sdfgc" mas meus arquivos mesmo nao existem mais ja tentei tudo quando foi programa de recuperação de dados apagados mas nenhum teve sucesso!

Trending

Most Viewed

Loading...