Feeds

Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive

Blunder discovered in latest ransomware infecting PCs

Protecting against web application threats using SSL

A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.

Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, which is half of a freshly generated private-public pair; the software nasty only hands over the private key to decrypt the data when a ransom is paid. Computers are infected typically after the user is tricked into running an attachment in a spam email.

It was first spotted in February, and is largely targeting US and UK systems. So far the security firm has detected more than 11,000 infections and estimates that the operators are pulling in up to $38,000 a month in Bitcoin, based on data from BTC transaction sites.

This style of encryption attack is nothing new, but the CryptoDefense creators have put a bit more thought into their nasty than most of their ilk (apart from the bungled cryptography that we'll get onto in a second). The malware uses pressure tactics that would make a corporate marketing department proud – it doubles the ransom after four days of non-payment, for example – and it makes the victim use the Tor network to cough up the dosh so it's harder to track down the crooks behind the scam.

The ransomware demands $500 in Bitcoin for the decryption key, and the malware author includes a how-to guide for installing and using a Tor-connected web browser, and a list of crypto-currency exchanges. There's even a CAPTCHA page to negotiate before the ransom is paid.

Thankfully all that work has gone to waste. Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software. Symantec explained:

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attacker's server.

Infected users should check in the Application Data > Application Data > Microsoft > Crypto > RSA folder of their PCs for the private key.

"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," the security biz noted in a blog post.

While that's good news for people infected right now, it's a kick in the shins for those who paid up in the past, and bad news for future victims once this bug is fixed. Ransomware has been around in one form or another for years, but in the last 18 months there's been a big spike in infections and it's getting more advanced and difficult to eliminate.

The boom was sparked by CryptoLocker, an unusually effective piece of malware that reaped millions through a combination of good social engineering and strong crypto, and being highly resistant to takedown attempts on its command and control servers. It was so good, US cops were forced to pay up to free their files, and it is still causing problems across the world.

Its success has spawned a host of imitations, and studies have shown that the attack is surprisingly effective at convincing people to pay up. Last month, a Romanian victim killed himself and his four-year-old son after ransomware convinced him he was facing years in jail and massive fines.

The primary vector of attack is the old favorite, the anonymous email attachment. While people are getting better at not downloading files from unknown sources, there are still a lot of folks who aren't so wary and, once infected, they are likely to be technology-illiterate enough to panic into making a payment.

Crap coding may have crippled CryptoDefense, but it's clear that malware writers are investing in ransomware in a big way. Expect to see a lot more of this kind of malware-laden spam in the future. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.