CryptoDefense
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 10 % (Normal) |
Infected Computers: | 34 |
First Seen: | March 24, 2014 |
Last Seen: | April 19, 2023 |
OS(es) Affected: | Windows |
CryptoDefense, otherwise known as HOW_DECRYPT.txt Ransomware, is a PC infection that attacks all versions of Windows incorporating Windows XP, Windows Vista, Windows 7, and Windows 8. When a PC is contaminated with CryptoDefense Ransomware, the malware infection execute a variety of harmful actions on the computer system. CryptoDefense Ransomware decrypts the files on the infected computer and urges the victim to pay a supposed fine to encrypt them. CryptoDefense Ransomware also deletes all Shadow Volume Copies when it's launched, which means that the only way to restore the files is via backup. CryptoDefense Ransomware connects to the Command and Control (C&C) server and uploads a private key. CryptoDefense Ransomware deletes all Shadow Volume Copies so that the computer user cannot restore the files form the Shadow Volumes. This means that the computer user will only be able to restore the files by restoring from backup or paying the supposed fine. CryptoDefense Ransomware scans the PC and encrypts data files such as image files, text files, office documents, and video files. CryptoDefense Ransomware creates a screenshot of the computer user's active Windows screen and uploads it to the Command & Control server. This screenshot will be embedded into the PC user's payment page on his Decrypt Service website.
This payment website is located on the Tor network, and the PC user can only make the payment in Bitcoins. In order to buy the decryptor for the files, the computer user needs to pay a supposed fine of 500 USD in Bitcoins. If the PC user does not pay the fine within 4 days, it will double to 1,000 USD. CryptoDefense Ransomware also declares that if the PC user does not buy a decryptor within one month, it will delete his private key and the computer user won't any longer be able to decrypt the files. The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file, will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the compromised PC. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same PC will include the same unique identifier. This identifier is possibly used by the Decrypt Service website to recognize he private key that can be used to decrypt the files when executing a test decryption.
Table of Contents
File System Details
# | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|
1. | %UserProfile%\Desktop\HOW_DECRYPT.URL | |
2. | %UserProfile%\Desktop\HOW_DECRYPT.TXT | |
3. | %UserProfile%\Desktop\HOW_DECRYPT.HTML |
Registry Details
URLs
CryptoDefense may call the following URLs:
https://tabsearch.net/search/?q= |