back to article Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive

A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters. Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, …


This topic is closed for new posts.
  1. John Smith 19 Gold badge

    Looks like CryptoLocker still leads the field..

    Unless they have made the same mistake.

    Somehow I don't think we'll get that lucky.

  2. aregross


  3. Anonymous Coward
    Anonymous Coward


  4. Chris Miller

    Given the people who probably commissioned this software, I think the code review process might well be one in which we can all be glad we're not participating.

    1. kwatt

      CryptoDefense beta

      Looks like CryptoDefense ran a beta with Symantec reporting on bugs. Of course it was fixed within 24 hours and now reports like this make people think they are safe when they are not. Besides not opening an unknown attachment - get reliable backup, suggest on-line and not locally mapped drives as that (local mapped backup) is one of the ransomware targets.

  5. J.G.Harston Silver badge

    Surely you have to be logged on as Admin to let these things take over? In which case, the bloody idiots are getting everything they deserve.

    1. Anonymous Coward
      Anonymous Coward

      If they are technically literate and login as admin then there might be argument that they deserve what they get.

      However, most users haven't got a clue about admin and user accounts - they simply use the computer as a tool and use whatever is more convenient for them. This does not make them idiots and deserving of being extorted, it makes them victims.

      1. Dave 126 Silver badge

        >This does not make them idiots and deserving of being extorted, it makes them victims.

        On a similar note, lay users aren't encouraged to back up their machines on an hourly basis... I mean, most PCs or laptops are sold with a single HDD, so they aren't designed for near-continuous back-up by default. For sure, this requires extra hardware (and cost) but PCs are pretty cheap these days, so it's an issue of educating the customer than an extra 20% cost is a worthwhile investment.

        Does anyone know how prone HDDs and NASs attached to the PC are to this sort of malware?

        1. Weeble

          Are backups any defence.

          Seriously, are continuous backups any defence against this kind of attack.

          Surely, by the time you've received the ransom notice you've already backed-up the encrypted versions.

          Aside from large outfits, who can back up to a fresh tape every hour with a month-long (or even year-long) rotation policy, what can a mere mortal do?

          And how does one stop those backups from being directly encrypted - if it's on the network it's surely at risk.

          1. Alan Brown Silver badge

            Re: Are backups any defence.

            If you only have one generation of backups then you need your head read. I keep at least 90 days worth of daily backups. 2 years for some filesystems.

        2. kwatt

          Any attached backup drives as well as VSS files are susceptible to attack from CryptoDefense. Best to have a working backup as 52% of backups fail multiple times based on a study done by company TwinStrata and published by Baseline magazine.

    2. JaimieV

      @Harston - You don't have to be logged in as admin. Code run as your user will have access to all your files, and all files (eg on network shares) that you have access to - unsurprisingly.

      What it won't be able to do is encrypt eg server-side databases that you have front-end access to, and that sort of thing. So you can trash the department's spreadsheets, but not the accounts database system. Unless it's a local copy of Sage...

      @Dave - malware like this may have access to your backup destination, depending on how that's implemented. If it's a local HDD, or a permanently attached network share that has stacks of backup files in, then your hourly backups could easily get mashed.

      In summary - any file that *you* have rights to delete, can be encrypted by this malware. No admin rights required.

      1. No. Really!?

        This is exactly right.

        I've seen CryptoLocker; it's network aware. It got all of the user's files, plus all the files on shares the user had rights to.

  6. Anonymous Coward


    All your private keys are stored in plaintext by Microsoft in a folder on your harddrive if you use their API's ?

    1. Lee D

      Re: so...

      Like almost every private key in the world stored on a Linux machine for use in an Apache SSL webserver, for example?

      Yep. Unless you want to type a passphrase into the machine every time it boots up. Some people do this (i.e. those who take security very seriously), some don't (i.e. those more worried about getting the PC back up and running without having to physically be in front of it every reboot than someone who might have obtained root access to the machine stealing only their private key portion of their SSL certificate which they have to have accessible for, e.g. Apache, IIS, etc. to be able to read the other side of the SSL connection anyway).

      Good practice says you encrypt the whole drive. Then "storing in plaintext" is neither here nor there. But if someone has read-access to your private keys which your webserver / SSH server / mail server etc. has to have access to, then it's game-over whether they are "encrypted" or not really. And, pretty much, means you can't reboot a system remotely and have it come back up with all your services operational.

    2. Crazy Operations Guy

      Re: so...

      No, every account has its own encryption key used to encrypt the keystore (keys used by the OS are stored in the SYSTEM account's keystore and encrypted with the machine's key).

      The source of this key depends on the account type: on locally created accounts the key is made from a one-way hash of the user's password and some other unique data. In directory services, such as Active Directory, the key is stored and generated by the directory software.

      The only place the key is stored in plain text is in a protected section of memory (Assuming your MMU isn't a pile of crap) and is processed by non-interruptible software ISR.

      1. Lee D

        Re: so...

        And, er... let's just take my scenario again.

        A web server has to boot at startup. It has to read wherever you've put the key and get the PRIVATE key out of it (in order to be able to decrypt communications encrypted by the PUBLIC key that you give out to everyone and send to them as part of TLS etc.).

        So then that machine, when powered on, without requiring passphrases, has enough information to boot, log in at the service account user (e.g. "httpd" or equivalent), read the keystore and get the PRIVATE key out of it.

        Game over. It might be more tricky but still game over. Encryption is useless if you're storing the credentials on the same disk and you are booting from it without supplying external information (e.g. dongle, manual login, etc.). It's either storing the key in plain text or it's storing it somewhere where it can get to using no more information than is contained on its default storage devices.

        And, thus, why most OS's don't try to "obfuscate" access to it, because that's just pretending to actually be secure. Fact is, if you have enough info to boot up and decrypt SSL encrypted with your private key, you have enough information that the key is effectively plain-text.

        1. Crazy Operations Guy

          Re: so...

          The point of the Keystore isn't to obfuscate access to certificates, but rather to put them all in one place and make it much easier to work with using a common API for all your crypto needs rather than having it done on an application-by-application basis.

          Yes, the system has to get access to the key from somewhere, in modern computers this would be the TPM in conjunction with SecureBoot. The SYSTEM account's keys are stored in the TPM and without those keys the keystore is unreadable. Of course now the TMP is the weakest link, but if your attackers have the technology to break one of those, I think you have bigger problems.

          Besides, if someone malicious has physical access to your machine, it doesn't matter what OS you are using, you have already lost. A system's security isn't just about the OS, you also have to protect

  7. wahankh

    Excellent news for the clicky happy windows users. However now its in the public domain its probably been fixed and sent out faster than a java exploit.

  8. Anonymous Coward
    Anonymous Coward

    If ever there was a reason for the TLA agencies to backdoor TOR this is it, then they can lob a drone with a big warhead at these lowlives.

    1. Charles Manning

      That's the sad bit

      NSA surely has the capability of nobbling these bastards, and doing so would surely be of benefit to the citizens who pay their wages and buy them shiny new data centres in the desert.

      Yet they do nothing.

      Remind me what purpose the NSA serves again?

      1. Wzrd1

        Re: That's the sad bit

        The NSA is part of the US DoD, which is prohibited from acting in a police capacity within the US.

        As monitoring crime and providing evidence on that crime is acting in a police capacity, they are prohibited from doing so by the Posse Comitatus Act.

      2. Anonymous Coward
        Anonymous Coward

        Re: Remind me what purpose the NSA serves again?

        It's purpose is to serve the ends of the USA's political/military/industrial complex, not save puppies from drowning or do anything of benefit to anyone else. (Unless that's incidental to making a random scumbag politician look good for a moment).

    2. Anonymous Coward
      Anonymous Coward

      "...then they can lob a drone with a big warhead at these lowlives."

      Great idea. You'd not mind a drone taking out the house next door to you, would you?

      Or perhaps, a house in Russia, with the nuclear baggage that would draw.

      1. Gene Cash Silver badge
        Thumb Up

        I'd love to have a drone take out the house next to me, and the one across the street too! I'd pay good money for that.

  9. Anonymous Coward
    Anonymous Coward

    When they catch these crims

    They should execute them by firing squad starting with shots to the ankles and moving upwards every 15 minutes or so. The procedure should take no less than 12 hours just so the crims understand the error in their behavior.

    1. Wzrd1

      Re: When they catch these crims

      Sorry, but civilized people do not torture people to death, regardless of their crimes.

      1. bigtimehustler

        Re: When they catch these crims

        Yea, instead we lock them up and waste money keeping them alive serving no purpose to us or them for the rest of their lives (in the case of very serious cases anyway) and this serves what logical purpose exactly?

  10. Schultz

    Location of the Microsoft/Crypto folder depends on the Windows version

    I went to look for the Application Data > Application Data > Microsoft > Crypto > RSA folder to find out what might hide there. But this folder resides in a different location on Windows 8: C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA. Just in case somebody was looking for it ...

    1. Cripes Chief!

      Re: Location of the Microsoft/Crypto folder depends on the Windows version

      Same for Win7

      1. Joe Harrison

        Re: Location of the Microsoft/Crypto folder depends on the Windows version

        Mine is full of impressive-looking strings of hex. Somehow I don't think these on their own are going to cheer up the average victim tearing their hair out to get their files back.

    2. Crazy Operations Guy

      Re: Location of the Microsoft/Crypto folder depends on the Windows version

      Doesn't matter where it is, those files are encrypted anyway. You should be accessing them through the Certificates Manger in the MMC.

  11. Glostermeteor

    These people need to be hunted down and shot, its that simple

    Title says it all.

  12. Anonymous Coward
    Anonymous Coward

    This is what we want the law enforcement agencies to deal with. I know that it isn't piracy, but I think they should concentrate on dealing with scams instead of going after poor people who happen to pirate music or videos.

    This is the kind of thing that really affects people and their lives. But no, they go after the easy target of those who copy films and music.

    1. Anonymous Coward
      Anonymous Coward

      My thoughts

      exactly. It seems the "agencies" can persecute kids for "stealing" a song and ruin their and their parents lives yet somehow, don't seem to have the resources to track these bastards down.

      Funny old world innit....

  13. Anonymous Coward
    Anonymous Coward

    Hi All, unfortunately my laptop has been infected by CryptoDefense. I've been googling to try and find support in getting rid of it. The article mentions locating the private key in the Crypto file. I've located the file, but is anyone able to advise what to do next? What do I do with the key?



  14. Phrixos

    "Bloody Idiots"

    J.G. Harston wrote, "Surely you have to be logged on as Admin to let these things take over? In which case, the bloody idiots are getting everything they deserve."

    Well, I'd much rather be, on any day, a decent bloody idiot than a cruel (long string of expletives deleted). As it happens, there are at least two good reasons to be logged on as an Administrator. As Condiment implies, we are not all so totally saavy as the imperious Mr. Harsh ~ton. A computer is hardly a simple instrument.

    When in my early computer-leaning stage—which seems, btw, to be ever on-going—an "expert" once advised me, "Don't be afraid of clicking the wrong key. You can't hurt it."


    Secondly, years ago and when, upon having to reinstall Windows I did something wrong, I found I couldn't access any of my User files and so I lost ALL of them.

    Log on as a user? Never again

  15. John Crisp

    Where are the Microsoft shills and fanbois when you need them ?

    So now not only do I enjoy running exclusively non windows, but I have great reason to ban EVERYTHING Windows off my networks :-)

  16. ChasR


    Info at Bleeping Computer to decrypt:

    Unfortunately, the crims have changed their modus operandi so the key isn't local anymore. YMMV

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022