Sorry to bring bad news, but it has gotten worse.
So how is it worse? CryptoDefender wipes out all Shadow Volume Copies (also called VSS or Volume Snapshot Service) and ransom demands are added to every file containing encrypted files. So what does VSS do? It makes Snapshots. Snapshots have two primary purposes: they allow the creation of consistent backups of a volume, ensuring that the contents cannot change while the backup is being made; and they avoid problems with file locking which is a mechanism that restricts access to a computer file by allowing only one user or process access at any specific time. By creating a read-only copy of the volume, backup programs are able to access every file without interfering with other programs writing to those same files.
Therefore, when CryptoDefender infects your system, the only backup you have is the last external one you made before the infection. This is why frequent backups are a good thing.
The original CryptoLocker targets files are text, picture, video, PDF and MS Office files. CryptoDefense like CryptoLocker, encrypts these with a strong RSA-2048 key which is hard to undo.
However, these are two distinct viruses and CryptoDefender is not a derivative of CryptoLocker.
So how does the infection happen? Through emails with a link or an attachment. They might (and do) look genuine, even adding “attachment scanned by” with recognized antiviral software. Whether the attachment is labeled with a .jpg or .pdf extension, (as well as special video players needed to view free online videos or Flash updates), it is in fact an exe file which installs on the computer, encrypts the files and sends the key to the command and control computer and also connects to four remote domains sending basic information about the computer and a screen shot of the computer which appears on the payment screen (just to be more convincing, I suppose).
The victim then gets this notice:
Note, to deal with them and make the payment of the ransom, the victim has to download the Tor browser to make the criminals safer from surveillance.
For the first four days the price for the decryption key is $500 in Bitcoin. After that, the price rises to $1,000. If no payment is forthcoming, the key is destroyed…
So far the CryptoDefender has passed its designers tests in Great Britain, Canada and Australia, the USA is the main target, Europe, Russia, the Middle East, China, and Africa to a lesser degree.
The designers of CryptoLocker and CryptoDefender are making tens of thousands of dollars a month with these viruses.
So, it’s better to mouse over email links, and it’s better to send an email query to the sender (and look at the actual email address in the reply), before opening any picture, etc.
Also, it’s really good to make a bootable disk image at the end of work everyday. If infected, wipe the disk and rebuild it using your full disk image.
There’s no solution yet for CryptoDefender as far as I can tell. None of the software cleaners for CryptoLocker will work with CryptoDefender. The most important thing in this situation is to ignore all unfamiliar emails that typically report about nonexisting purchases and deliveries, payments and similar things could make one click on the malicious link.
There's a very interesting angle to this follow up. It turns out that Emsisoft got wind of this virus early on and did some research on it. They actually found a way to decrypt the encrypted files and quietly put out a help offer for folks on various Forums. This enraged the author of the virus (or the criminals who bought it and distributed it) and Emisoft was subjected to an attack which they sidestepped through filtering.
Then, a rival antiviral firm revealed a bit too much of the method emsisoft used to decrypt the files encrypted by the virus and that resulted in the criminal fixing the hole in his ransomware.
You can read about the episode here: