CryptoDefense, one of those Cryptolocker imitators that have managed to wreak havoc and force users into shelling out money, isn’t all that intelligent it seems as its coders have goofed up big time and left the key behind that could decrypt users data without them requiring to pay any ransom.
Due to the success of Cryptolocker, which is believed to have infected over 250,000 systems in the UK alone between September and December last year, many copycats emerged. CryptoDefense is one of those and according to Symantec, at the time of this writing, the ransomware is earning its masters nearly $34,000 a month.
“Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone”, notes Symantec in a blog post.
However, users who have already paid could have avoided paying the ransom and those whose systems have been infected by this ransomware should take note that CryptoDefense’s creators have erred big time by leaving a key behind that can be used to decrypt data.
Symantec notes that CryptoDefense makes use of Microsoft’s cryptographic infrastructure and Windows APIs to perform the key generation. The private key is sent back to the ransomware servers; however, the creators having overlooked a critical bit because of which the private key still resides in users’ systems under Application Data > Application Data > Microsoft > Crypto > RSA.
“This method means that the decryption key the attackers are holding for ransom actually still remains on the infected computer after transmission to the attackers server,” Symantec notes.
Except that it’s not true. I have the drive of a friend who got hit and there are no key files in said location. I wish people would stop posting this misinformation.