Feeds

Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive

Blunder discovered in latest ransomware infecting PCs

Using blade systems to cut costs and sharpen efficiencies

A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.

Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, which is half of a freshly generated private-public pair; the software nasty only hands over the private key to decrypt the data when a ransom is paid. Computers are infected typically after the user is tricked into running an attachment in a spam email.

It was first spotted in February, and is largely targeting US and UK systems. So far the security firm has detected more than 11,000 infections and estimates that the operators are pulling in up to $38,000 a month in Bitcoin, based on data from BTC transaction sites.

This style of encryption attack is nothing new, but the CryptoDefense creators have put a bit more thought into their nasty than most of their ilk (apart from the bungled cryptography that we'll get onto in a second). The malware uses pressure tactics that would make a corporate marketing department proud – it doubles the ransom after four days of non-payment, for example – and it makes the victim use the Tor network to cough up the dosh so it's harder to track down the crooks behind the scam.

The ransomware demands $500 in Bitcoin for the decryption key, and the malware author includes a how-to guide for installing and using a Tor-connected web browser, and a list of crypto-currency exchanges. There's even a CAPTCHA page to negotiate before the ransom is paid.

Thankfully all that work has gone to waste. Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software. Symantec explained:

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attacker's server.

Infected users should check in the Application Data > Application Data > Microsoft > Crypto > RSA folder of their PCs for the private key.

"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," the security biz noted in a blog post.

While that's good news for people infected right now, it's a kick in the shins for those who paid up in the past, and bad news for future victims once this bug is fixed. Ransomware has been around in one form or another for years, but in the last 18 months there's been a big spike in infections and it's getting more advanced and difficult to eliminate.

The boom was sparked by CryptoLocker, an unusually effective piece of malware that reaped millions through a combination of good social engineering and strong crypto, and being highly resistant to takedown attempts on its command and control servers. It was so good, US cops were forced to pay up to free their files, and it is still causing problems across the world.

Its success has spawned a host of imitations, and studies have shown that the attack is surprisingly effective at convincing people to pay up. Last month, a Romanian victim killed himself and his four-year-old son after ransomware convinced him he was facing years in jail and massive fines.

The primary vector of attack is the old favorite, the anonymous email attachment. While people are getting better at not downloading files from unknown sources, there are still a lot of folks who aren't so wary and, once infected, they are likely to be technology-illiterate enough to panic into making a payment.

Crap coding may have crippled CryptoDefense, but it's clear that malware writers are investing in ransomware in a big way. Expect to see a lot more of this kind of malware-laden spam in the future. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.