Feeds

Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive

Blunder discovered in latest ransomware infecting PCs

The Essential Guide to IT Transformation

A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.

Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, which is half of a freshly generated private-public pair; the software nasty only hands over the private key to decrypt the data when a ransom is paid. Computers are infected typically after the user is tricked into running an attachment in a spam email.

It was first spotted in February, and is largely targeting US and UK systems. So far the security firm has detected more than 11,000 infections and estimates that the operators are pulling in up to $38,000 a month in Bitcoin, based on data from BTC transaction sites.

This style of encryption attack is nothing new, but the CryptoDefense creators have put a bit more thought into their nasty than most of their ilk (apart from the bungled cryptography that we'll get onto in a second). The malware uses pressure tactics that would make a corporate marketing department proud – it doubles the ransom after four days of non-payment, for example – and it makes the victim use the Tor network to cough up the dosh so it's harder to track down the crooks behind the scam.

The ransomware demands $500 in Bitcoin for the decryption key, and the malware author includes a how-to guide for installing and using a Tor-connected web browser, and a list of crypto-currency exchanges. There's even a CAPTCHA page to negotiate before the ransom is paid.

Thankfully all that work has gone to waste. Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software. Symantec explained:

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attacker's server.

Infected users should check in the Application Data > Application Data > Microsoft > Crypto > RSA folder of their PCs for the private key.

"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," the security biz noted in a blog post.

While that's good news for people infected right now, it's a kick in the shins for those who paid up in the past, and bad news for future victims once this bug is fixed. Ransomware has been around in one form or another for years, but in the last 18 months there's been a big spike in infections and it's getting more advanced and difficult to eliminate.

The boom was sparked by CryptoLocker, an unusually effective piece of malware that reaped millions through a combination of good social engineering and strong crypto, and being highly resistant to takedown attempts on its command and control servers. It was so good, US cops were forced to pay up to free their files, and it is still causing problems across the world.

Its success has spawned a host of imitations, and studies have shown that the attack is surprisingly effective at convincing people to pay up. Last month, a Romanian victim killed himself and his four-year-old son after ransomware convinced him he was facing years in jail and massive fines.

The primary vector of attack is the old favorite, the anonymous email attachment. While people are getting better at not downloading files from unknown sources, there are still a lot of folks who aren't so wary and, once infected, they are likely to be technology-illiterate enough to panic into making a payment.

Crap coding may have crippled CryptoDefense, but it's clear that malware writers are investing in ransomware in a big way. Expect to see a lot more of this kind of malware-laden spam in the future. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.