CryptoDefense, the CryptoLocker Imitator, Makes Over $34,000 in One Month

On the back of Cryptolocker’s (Trojan.Cryptolocker) perceived success, malware authors have been turning their attention to writing new ransomcrypt malware. The sophisticated CryptoDefense (Trojan.Cryptodefense) is one such malware. CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections. Using the Bitcoin addresses provided by the malware authors for payment of the ransom and looking at the publicly available Bitcoin blockchain information, we can estimate that this malware earned cybercriminals over $34,000 in one month alone (according to Bitcoin value at time of writing).

Imitation is not just the sincerest form of flattery – it’s the sincerest form of learning” – George Bernard Shaw.

CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims. These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.

Symantec has observed CrytoDefense being spammed out using emails such as the one shown in Figure 1.


Figure 1. Malicious spam email example

Network communications
When first executed, CryptoDefense attempts to communicate with one of the following remote locations:


The initial communication contains a profile of the infected computer. Once a reply is received from the remote location, the threat then initiates encryption and transmits the private key back to the server. Once the remote server confirms the receipt of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location.

Ransom demand
Once the files are encrypted, CryptoDefense creates the following ransom demand files in every folder that contains encrypted files:



Figure 2. Example of HOW_DECRYPT.HTML file

As can be seen in Figure 2, the malware authors are using the Tor network for payment of the ransom demand. If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address. The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.

Once the user opens their unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page.


Figure 3. Example of CAPTCHA shown to victim

Once they have filled in the CAPTCHA correctly, the user will be presented with the ransom payment page.


Figure 4. CryptoDefense ransom payment page

Of note here is the ransom demand of 500 USD/EUR to be paid within four days or the ransom doubles in price. The use of time pressure tactics by the cybercriminals makes victims less likely to question the costs involved when evaluating potential losses. The cybercriminals offer proof through a “My screen” button, included on the payment page, that they have compromised the user’s system by showing the uploaded screenshot of the compromised desktop. They also offer further proof that decryption is feasible by allowing the victim to decrypt one file through the “Test decrypt” button. They then proceed to educate their victim on how to get hold of Bitcoins to pay the ransom.

CryptoDefense employs public-key cryptography using strong RSA 2048 encryption. This means that once the files have been encrypted, without access to the private key, victims will not be able to decrypt the files. With Cryptolocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys. On investigating how CryptoDefense implemented its encryption, we observed that the attackers had overlooked one important detail: where the private key was stored.

As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.

When using Microsoft’s cryptographis infrastructure, private keys are stored in the following location:

%UserProfile%\Application Data\Microsoft\Crypto\RSA

Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape. Further details of Microsoft’s key storage architecture can be found here.

Symantec is aware of the following Bitcoin addresses being used in CryptoDefense ransom demands:

The first known Bitcoin transaction for these addresses was on February 28, 2014. This corresponds with the first detection of a CryptoDefense sample by Symantec. At this time, based on the number of received transactions for both Bitcoin addresses, Symantec can estimate that the cybercriminals behind CryptoDefense have earned over $36,000 in just one month.

Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections in over 100 countries. The United States makes up the majority of these detections followed by the United Kingdom, Canada, Australia, Japan, India, Italy, and the Netherlands.


Figure 5. Heatmap for CryptoDefense detections

Although not related, such were the similarities seen between CrytoDefense and Cryptolocker that Symantec initially detected this threat as Trojan.Cryptolocker along with numerous other detections. Symantec detects CryptoDefense under the following detection names:

Antivirus detections

Heuristic detections

Reputation detections

Intrusion prevention signatures

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

For the best possible protection, Symantec customers should ensure that they are using the latest Symantec technologies incorporated into our consumer and enterprise solutions. To further protect against threats of this nature, it is recommended that you follow security best practices and always backup your files using a product such as Symantec’s Backup Exec Family. Finally, always keep your systems up to date with the latest virus definitions and patches.

Leave a Reply