CryptoDefense is another encryption software in the wake of Cryptolocker. It employs almost the same way to encrypt the document and data on a target machine:
CryptoDefense acquires RSA public key from its remote control server when its vicious codes is injected by a supportive worm. A new AES key will be consequently generated to encrypt almost all types of files including .jpg. In other word, the encrypted documents are locked down with two keys. One of them can be deciphered by a private key which can be accessed on its controller and the other is in the hand of CryptoDefense’ author.
If one hands over money, the hacker would ask the victim to download certain browser and get the private key him/herself. Once the key it typed on the locked down computer, the hacker would remotely control the machine and use another key to finally decipher the documents, if the hacker keeps his/her words. Therefore, the decipher means has not yet been mastered. But it is necessary to remove CryptoDefense’ vicious code from the computer to prevent further damage.
Damages by CryptoDefense
Asking for BitCoin is its main goal. To ensure the income, some damages should be made concretely. By preloading its virulent code into boot sector and overwriting concerning drivers, CryptoDefense manages to run right before Windows displays its desktop, making it futile to dodge CryptoDefense by simply rebooting the affected computer or by enabling Task Manager. Drivers regarding security utilities are also disabled by CryptoDefense; plus complex SHA shell, CryptoDefense is capable of hindering any modifications of its core files and data, so that the evil deeds can be guaranteed. When drivers, tools to communicate between hardware and software for a better operation, are disabled or maliciously modified, mechanical problems, dysfunctions and malfunctions would be incurred:- Restore points are swept away.
- Access to some forms of Safe Modes is denied.
- Some functional keys may be disabled.
- BSoD could happen occasionally.
Do Not Pay CryptoDefense
Unlike the previous ransomware versions http://blog.vilmatech.com/top-10-ransomware-scams-2013/ using official look to threaten victims into money submission, CryptoDefense ransomware states clearly that it is a virus and that $500 BitCoin is required to decipher precious documents and data. Any delay in the submission (the tolerance period is 4 days) would double the ransom, that would be $1000 BitCoin ransom!CryptoDefense is playing psychological tactics with victims and most of victims would fall and finish the submission, which helps the cyber criminal backstage to get easy money within short period of time and actually funds the criminals to develop more advanced ransomware.
According to the feedbacks from our clients, CryptoDefense would come back again not long after the amount of BitCoin has been submitted. The reason can be very simple. CryptoDefense has collected the system information. With it, CryptoDefense manages to find bug/vulnerability to implement another attack easier. Besides, one money submission is sufficient enough to make the hacker behind CryptoDefense to believe that the victim is wealthy and generous. Why not encrypt the same computer again?
Lessons Learned from CryptoDefense
- It is important to backup or transfer confidential information and other critical documents to several external hard drives.
- It is no use to pay cyber criminals.
- It makes it a point to always follow good PC practice as encryption software like CryptoDefense owns multiple dissemination routines:
Below is the recommended way to help remove CryptoDefense and retrieve a functional machine. Stick to it carefully as there are many more steps required to be executed in the kernel part of a machine. If you are not that technically sound to proceed, please do feel free to contact the recommended PC Technology Support Center and get on-to-one assistance instantly.
- Fake Adobe/Flash Player update message – almost all computers would need Adobe/Flash Player to display media; by faking such update message would be easier to trap PC users into downloading CryptoDefense’s vicious code unwittingly and willingly.
- Activators seeded on P2P sites – activators are needed in most cases to get some programs run.
- World Wide Web – it is not strange to hear that visiting porn sites or any other compromised web sites will lead to a blocked computer.
- Spam adware – there have been a lot of spam ads popping up to help spread vicious codes by displaying alluring contents to trap clicks.
- Vulnerable computer – vulnerability has been well known to be easily taken advantage by infections, needless to say CryptoDefense.
Recommended Way to Remove CryptoDefense
1. create a new user account from Safe Mode with Command Prompt.
Windows 7/XP/Vista
- Cold restart the system and keep tapping on "F8 key" as the computer is booting.
- Highlight "Safe Mode with Command Prompt" option when "Windows Advanced Options Menu" prompts up.
- Press Enter key to type “explorer.exe” and hit Enter key again for another desktop.
- Go to Control Panel and create a new user account with admin rights:
Windows 7 - User Accounts and Family Safety > User Accounts > ‘Manage another account’ > ‘Create a new account’ > tick ‘Administrator’ > press Create Account button.
Windows XP - ‘User Account’ > ‘Create a new account’ > Type a name for the new user account > press ‘Next’ > tick ’Computer administrator’ > press ‘Create Account’.
Windows Vista - ‘Add or Remove User Accounts’ > ‘Create a New Account’ > Enter an account name > tick ’Computer administrator’ > click ‘Create Account button’
Windows 8
- Cold restart the system.
- Hold down shift key and keep tapping F8 functional key together to select Troubleshoot with arrow keys.
- Select Advanced options then and hit Restart button at the right bottom of the screen.
- Please hit F6 to get into safe mode with command prompt.
- Type “explorer.exe” then and hit Enter key again for another desktop.
- Double click on ‘Control Panel’ on another start screen.
- Click on ‘Add a user’ under ‘Users’ which is on the left pane.
- If Windows Live id is available, use it to create a new account.
- Otherwise, click on ‘More about logon options’ to fill in the given form
- Then follow the on-screen hint to finish creating a user account with admin rights.
2. navigate to the following directories and remove all temp files.
C:\Documents and Settings\administor user name\Local Settings\Temp
C:\Windows\Temp
C:\Documents and Settings\current user name \Local Settings\temp\
C:\Documents and Settings\user name\Local Settings\Temporary Internet Files
3. show hidden files and folders to remove CryptoDefense in local disk.
Find and remove some strange files with unreasonable name such as [random number]/[random letter].exe in roaming folder under C:\Windows and C:\Windows\system32.
%Program Files%\ random
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%AppData%\vsdsrv32.exe
4. access Database to remove the items generated by CryptoDefense.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\ CryptoDefense virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
Relevant Reading:
Your Personal Files Are Encrypted
Remove CryptoDefense Ransomware – VilmaTech Official Blog
Remove CryptoLocker Virus Encrypting Files, Unblock Computer
Remove Cryptorbit Virus - Global PC Support Center
No comments:
Post a Comment