New virus CryptoDefender is worse than CryptoLocker. UPDATE.

By on April 6, 2014 9:29:51 AM from JoeUser Forums JoeUser Forums

DrJBHL

Join Date 04/2002
+2150

 

Sorry to bring bad news, but it has gotten worse.

So how is it worse? CryptoDefender wipes out all Shadow Volume Copies (also called VSS or Volume Snapshot Service) and ransom demands are added to every file containing encrypted files. So what does VSS do? It makes Snapshots. Snapshots have two primary purposes: they allow the creation of consistent backups of a volume, ensuring that the contents cannot change while the backup is being made; and they avoid problems with file locking which is a mechanism that restricts access to a computer file by allowing only one user or process access at any specific time. By creating a read-only copy of the volume, backup programs are able to access every file without interfering with other programs writing to those same files.

Therefore, when CryptoDefender infects your system, the only backup you have is the last external one you made before the infection. This is why frequent backups are a good thing.

The original CryptoLocker targets files are text, picture, video, PDF and MS Office files. CryptoDefense like CryptoLocker, encrypts these with a strong RSA-2048 key which is hard to undo.

However, these are two distinct viruses and CryptoDefender is not a derivative of CryptoLocker.

So how does the infection happen? Through emails with a link or an attachment. They might (and do) look genuine, even adding “attachment scanned by” with recognized antiviral software. Whether the attachment is labeled with a .jpg or .pdf extension, (as well as special video players needed to view free online videos or Flash updates), it is in fact an exe file which installs on the computer, encrypts the files and sends the key to the command and control computer and also connects to four remote domains sending basic information about the computer and a screen shot of the computer which appears on the payment screen (just to be more convincing, I suppose).

The victim then gets this notice:

Note, to deal with them and make the payment of the ransom, the victim has to download the Tor browser to make the criminals safer from surveillance.

For the first four days the price for the decryption key is $500 in Bitcoin. After that, the price rises to $1,000. If no payment is forthcoming, the key is destroyed…

So far the CryptoDefender has passed its designers tests in Great Britain, Canada and Australia, the USA is the main target, Europe, Russia, the Middle East, China, and Africa to a lesser degree.

 

The designers of CryptoLocker and CryptoDefender are making tens of thousands of dollars a month with these viruses.

So, it’s better to mouse over email links, and it’s better to send an email query to the sender (and look at the actual email address in the reply), before opening any picture, etc.

Also, it’s really good to make a bootable disk image at the end of work everyday. If infected, wipe the disk and rebuild it using your full disk image.

There’s no solution yet for CryptoDefender as far as I can tell. None of the software cleaners for CryptoLocker will work with CryptoDefender. The most important thing in this situation is to ignore all unfamiliar emails that typically report about nonexisting purchases and deliveries, payments and similar things could make one click on the malicious link.

UPDATE:

There's a very interesting angle to this follow up. It turns out that Emsisoft got wind of this virus early on and did some research on it. They actually found a way to decrypt the encrypted files and quietly put out a help offer for folks on various Forums. This enraged the author of the virus (or the criminals who bought it and distributed it) and Emisoft was subjected to an attack which they sidestepped through filtering. 

Then, a rival antiviral firm revealed a bit too much of the method emsisoft used to decrypt the files encrypted by the virus and that resulted in the criminal fixing the hole in his ransomware.

You can read about the episode here: 

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 

 

Sources:

http://www.2-spyware.com/remove-cryptodefense.html

http://www.2-spyware.com/news/post2463.html

http://techtalk.pcpitstop.com/2014/04/03/worse-cryptolocker/?knowbefor-cryptodefense=

http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=ticker140407&utm_source=newsletter&utm_medium=newsletter&utm_content=onlineversion&utm_campaign=ticker140407

 

23 Replies +1
Search this post
Subscription Options


Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 9:49:55 AM from WinCustomize Forums WinCustomize Forums

These people should be treated as terrorists. What a thing to do to people.

 

Thanks for the info, although, on my dial up. I may be safer than you all, I rarely open mail and download at home, that is what my laptop is for, and it is disposable as far as what is on it. Just daily stuff, no long term.

How  this can not be tracked is beyond me, seems the criminals spend more time learning than those protecting us. Or, the criminal mind is somewhat craftier. So sad.

 

 

Forgot to say Thanks, Thanks DrJBL.

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 11:00:30 AM from WinCustomize Forums WinCustomize Forums

Thanks for the info. Much appreciated

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 3:37:58 PM from WinCustomize Forums WinCustomize Forums

I open only emails from family and friends, and the newsletters I subscribe to, other than that, all unsolicited mail goes to my junk folder and is instantly deleted.

However, this is useful information that will prove beneficial for warning ohers, or if they become infected.

Thanks, Doc.

Reason for Karma (Optional)
Successfully updated karma reason!
Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.
April 6, 2014 4:37:13 PM from WinCustomize Forums WinCustomize Forums

Welcome, fellas.

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 4:46:29 PM from WinCustomize Forums WinCustomize Forums

The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 6:00:31 PM from JoeUser Forums JoeUser Forums

"Hello, IRS?  NSA here.  kku."

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 7:49:20 PM from WinCustomize Forums WinCustomize Forums

elete...delete...delete.

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 8:46:42 PM from WinCustomize Forums WinCustomize Forums

Quoting kku,

The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

May I interest you in my latest range of tinfoil headwear?....

China isn't going to jeopardize its international trade with anything so stupid...

...and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair....

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 9:14:21 PM from GalCiv II Forums GalCiv II Forums

pardon my ignorance, but how does one make a bootable disk image?

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 9:40:21 PM from WinCustomize Forums WinCustomize Forums

Quoting heft,
pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 10:01:04 PM from GalCiv II Forums GalCiv II Forums

Quoting Jafo,


Quoting heft, reply 9pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...

What program would I use?

 

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 10:01:30 PM from WinCustomize Forums WinCustomize Forums

kku, the CryptoDefender (and CryptoLocker) are designed to extort money. Period.

The NSA is interested in penetration and surveillance of computer systems, communications nets and everything that goes across them.

It has no interest in extorting monies.

Reason for Karma (Optional)
Successfully updated karma reason!
April 6, 2014 10:20:22 PM from WinCustomize Forums WinCustomize Forums

Quoting Jafo,
..and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair...

You shouldn't criticise the imbecilic jerk like that... you know how the twerp likes to execute people who criticise or tell the truth about him, being the blood thirsty wanker he is.

As for the haircut... they just stick a bowl on his head and lop of anything that sticks out.  However, that's not gonna work for much longer unless they get larger bowls - humongous bowls, even - cos his head's swelling by the day with all that power he inherited but was never qualified or equipped to take on.  Frankly, had I been his father, I wouldn't have left him in charge of a worm farm all the residents had emigrated from.

Reason for Karma (Optional)
Successfully updated karma reason!
April 7, 2014 9:02:12 AM from WinCustomize Forums WinCustomize Forums

Please note, the OP has been updated. That update and the link to the story are at the bottom of the OP.

Reason for Karma (Optional)
Successfully updated karma reason!
April 7, 2014 10:17:01 AM from Sins of a Solar Empire Forums Sins of a Solar Empire Forums

ROFL about the idiot who created cryptodefender. Pity someone had to spill the beans on it, but it was bound to happen.

Reason for Karma (Optional)
Successfully updated karma reason!
April 8, 2014 5:10:49 PM from GalCiv II Forums GalCiv II Forums

Quoting heft,
Quoting Jafo, reply 10

Quoting heft, reply 9pardon my ignorance, but how does one make a bootable disk image?

Means a full system [os] disk image...the sort of thing that can be restored via recovery media [dvd] to a normal boot OS....[or can be mounted as a VM]...
What program would I use?

Sorry I asked this question. I was being lazy.

So I researched a little bit. It turns out I can use a free program I already have: imgburn. And there are lots of YouTube vids that give instructions on how to do it. 

Reason for Karma (Optional)
Successfully updated karma reason!
April 9, 2014 3:27:23 PM from Elemental Forums Elemental Forums

Terrorists, schmerrorists.

It's good for one thing - users will learn to do incremental backups of their critical files on a physically separate device. It's easy with today's NAS home servers, start today, so you don't have to learn the hard way. 

Reason for Karma (Optional)
Successfully updated karma reason!
April 10, 2014 8:31:31 AM from WinCustomize Forums WinCustomize Forums

Quoting Jafo,


Quoting kku, reply 5
The sophistication of CryptoDefender and CryptoLocker indicates state sponsored viruses. I would guess that either China or North Korea are behind it, but I wouldn't eliminate the NSA from the short list!

May I interest you in my latest range of tinfoil headwear?....

China isn't going to jeopardize its international trade with anything so stupid...

...and Nth Korea hasn't got the technology....they can't even get a half-decent barber to cut that idiot ruler's hair....

You must be thinking about some other country with incompetent hair stylists. The DPRK has developed a working nuclear capability as well as an intermediate missle delivery system. The DPRK is quite capable of developing computer and biological viruses.

Reason for Karma (Optional)
Successfully updated karma reason!
April 10, 2014 10:05:03 AM from WinCustomize Forums WinCustomize Forums

Quoting kku,
The DPRK

Nope...that'll be the DSRNK ...aka Dip Shit Run North Korea. [by, not of].

Their 'capability' is measured by whatever excuses the West [aka US] needs to justify blasting them back into the stone age.

Beyond that creature that runs the country...the rest of the population is hanging out to embrace Maccas and Vegas dross just the same as the the rest of the great over-fed.

The 'world police' are always looking for excuses to justify their obscene military budgets...and test out the new kit they got..... NK will just be the next...since Afghanistan is soo yesterday...

Reason for Karma (Optional)
Successfully updated karma reason!
April 10, 2014 10:10:03 AM from WinCustomize Forums WinCustomize Forums

It is, kku. It's also quite difficult (if not impossible) to identify the source (the actual attacker) beyond the server source which won't be in the country initiating the attack.

For the ransomware though, to me it's more likely that it's criminal activity rather than spying (not that NK/China aren't engaged in criminal operations).

As for Jafo's last reply, can't say I wouldn't mind seeing their disgusting leaders/generals and politicians disappeared. The lives of the people of that country are pitiful.

 

Reason for Karma (Optional)
Successfully updated karma reason!
April 10, 2014 10:49:59 AM from Elemental Forums Elemental Forums

I agree that crypto yada smacks of a criminal source rather than a state source.  Its too widely and wildly spread to be an instrument of a specific state.  Seth, thanks for info - I need to set up a back up system...

Reason for Karma (Optional)
Successfully updated karma reason!
April 10, 2014 11:09:08 AM from WinCustomize Forums WinCustomize Forums

Quoting ElanaAhova,
Seth, thanks for info - I need to set up a back up system...

Sooner...

There IS NO later ...

Reason for Karma (Optional)
Successfully updated karma reason!
June 18, 2014 3:19:24 PM from Stardock Forums Stardock Forums

Followed your link (I really have to visit JU more often).  Ouch!  Looks like my client got very lucky (although I was surprised it worked).  As I indicated, the network shares were fine due to a back up, but very few back up their personal computers.  And Churches are not known for their largess in salaries (unless your name is Jim Bakker ).

Reason for Karma (Optional)
Successfully updated karma reason!
Stardock Forums v1.0.0.0    #108433  walnut3   Server Load Time: 00:00:00.0000391   Page Render Time:

Home | About | Privacy | Upload Guidelines | Terms of Service | Help
WinCustomize © 2014 Stardock Corporation. All Rights Reserved.