Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

CryptoDefense Ransomware Rakes in $34K in a Month: Symantec

A ransomware campaign has paid off big time for whoever is behind a spate of CryptoDefense infections during the past month.

A ransomware campaign has paid off big time for whoever is behind a spate of CryptoDefense infections during the past month.

According to Symantec’s Security Response Team, the malware’s authors may have raked more than $34,000 since it appeared on the scene in late February. The estimate is based on the Bitcoin addresses provided by the malware authors for payment of the ransom and an examination of the publicly-available Bitcoin blockchain information. 

But despite its success, the malware has a flaw that may provide victims the key to beating the attackers at their own game.

“As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer,” according to Symantec’s Security Response Team. “This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.”

When using Microsoft’s cryptography infrastructure, the private keys are stored in the following location: %UserProfile%Application DataMicrosoftCryptoRSA.

“Due to the attackers’ poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape,” Symantec noted. 

The malware is being spammed out and distributed via malicious PDF files. The majority of the infections Symantec has detected are in the United States, with the U.K., Canada, Australia and a number of other countries also being sites of infections. When first executed, CryptoDefense attempts to communicate with one of the following:,, and

The initial communication contains a profile of the infected machine. Once a reply is received from the remote location, the malware initiates the encryption and transmits the private key back to the server. After the remote server confirms the recipient of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location, according to Symantec.

Once the files are encrypted, the malware creates ransom-demand files in every folder containing encrypted files. The malware authors are using the Tor network for payment of the ransom.

“If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address,” according to Symantec. “The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.”

Once the user opens the unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page. If they fill out the CAPTCHA correctly, they will be sent to the payment page. The price of the ransom is $500 USD, which the hackers threaten to double if they are not paid within four days.  

“CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims,” Symantec explained. “These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.