CryptoDefense Description

CryptoDefense, otherwise known as HOW_DECRYPT.txt Ransomware, is a PC infection that attacks all versions of Windows incorporating Windows XP, Windows Vista, Windows 7, and Windows 8. When a PC is contaminated with CryptoDefense Ransomware, the malware infection execute a variety of harmful actions on the computer system. CryptoDefense Ransomware decrypts the files on the infected computer and urges the victim to pay a supposed fine to encrypt them. CryptoDefense Ransomware also deletes all Shadow Volume Copies when it's launched, which means that the only way to restore the files is via backup. CryptoDefense Ransomware connects to the Command and Control (C&C) server and uploads a private key. CryptoDefense Ransomware deletes all Shadow Volume Copies so that the computer user cannot restore the files form the Shadow Volumes. This means that the computer user will only be able to restore the files by restoring from backup or paying the supposed fine. CryptoDefense Ransomware scans the PC and encrypts data files such as image files, text files, office documents, and video files. CryptoDefense Ransomware creates a screenshot of the computer user's active Windows screen and uploads it to the Command & Control server. This screenshot will be embedded into the PC user's payment page on his Decrypt Service website.

This payment website is located on the Tor network, and the PC user can only make the payment in Bitcoins. In order to buy the decryptor for the files, the computer user needs to pay a supposed fine of 500 USD in Bitcoins. If the PC user does not pay the fine within 4 days, it will double to 1,000 USD. CryptoDefense Ransomware also declares that if the PC user does not buy a decryptor within one month, it will delete his private key and the computer user won't any longer be able to decrypt the files. The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file, will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the compromised PC. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same PC will include the same unique identifier. This identifier is possibly used by the Decrypt Service website to recognize he private key that can be used to decrypt the files when executing a test decryption.

Infected with CryptoDefense? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect CryptoDefense
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

File System Details

CryptoDefense creates the following file(s):
# File Name
1 %UserProfile%\Desktop\HOW_DECRYPT.URL
2 %UserProfile%\Desktop\HOW_DECRYPT.TXT
3 %UserProfile%\Desktop\HOW_DECRYPT.HTML

Registry Details

The following CLSID's were found:
HKEY..\..\{CLSID Path}
HKEY_CURRENT_USER\Software\[unique id]
HKEY_CURRENT_USER\Software\[unique id] "finish" = "1"

More Details on CryptoDefense

The following messages associated with CryptoDefense were found:
All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site and follow the instructions.
If is not opening, please follow the steps below:
Your Personal PAGE:
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

Site Disclaimer


  • Everton:

    Fiz todo o passo a passo mas os arquivos continuam criptografados! como eu recupero os dados? esta tudo uma bagunça com nome de arquivo como por exemplo "schvsitcyfadsf.sdfgc" mas meus arquivos mesmo nao existem mais ja tentei tudo quando foi programa de recuperação de dados apagados mas nenhum teve sucesso!

  • Esmeralda:

    My USB drive is infected how do I decrypt my files from the USB?

  • J Smith:

    Had a user bring me their laptop with the post 4/1/14 iteration, where the Private Key could not be located with your program. My users don’t have admin rights, so your program required me to make the user an admin to run it (using UAC would have harvested the wrong HKCU, so I made the user an admin briefly). All this said, on the positive, since the user did not have admin rights when the RansomWare itself actually ran; it prevented the RansomWare from deleting VSS copies, and I was able to completely restore the users My Documents & My Pictures using Previous Versions successfully.

  • Aldo:


    I found the unique identifier on my computer. How do I use it to decrypt my files?


  • Robert:

    Restorable from VSS in "restore previous version of file" as a from "copy" option when you select to "keep both files" so the file is renamed.

  • Chip Cooper:

    Hi – I’m trying to recover pictures for a friend/client that were encrypted with CryptoDefense. I’ve removed the virus and think I’ve made a copy of the private key but I’m not sure how to use it to decrypt the files. Thanks for any help you can give. Chip Cooper

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 9 + 8 ?