Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CryptoDefense Ransomware Rakes in $34K in a Month: Symantec

A ransomware campaign has paid off big time for whoever is behind a spate of CryptoDefense infections during the past month.

A ransomware campaign has paid off big time for whoever is behind a spate of CryptoDefense infections during the past month.

According to Symantec’s Security Response Team, the malware’s authors may have raked more than $34,000 since it appeared on the scene in late February. The estimate is based on the Bitcoin addresses provided by the malware authors for payment of the ransom and an examination of the publicly-available Bitcoin blockchain information. 

But despite its success, the malware has a flaw that may provide victims the key to beating the attackers at their own game.

“As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer,” according to Symantec’s Security Response Team. “This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.”

When using Microsoft’s cryptography infrastructure, the private keys are stored in the following location: %UserProfile%Application DataMicrosoftCryptoRSA.

“Due to the attackers’ poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape,” Symantec noted. 

The malware is being spammed out and distributed via malicious PDF files. The majority of the infections Symantec has detected are in the United States, with the U.K., Canada, Australia and a number of other countries also being sites of infections. When first executed, CryptoDefense attempts to communicate with one of the following: machetesraka.com, markizasamvel.com, armianazerbaijan.com and allseasonsnursery.com.

The initial communication contains a profile of the infected machine. Once a reply is received from the remote location, the malware initiates the encryption and transmits the private key back to the server. After the remote server confirms the recipient of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location, according to Symantec.

Advertisement. Scroll to continue reading.

Once the files are encrypted, the malware creates ransom-demand files in every folder containing encrypted files. The malware authors are using the Tor network for payment of the ransom.

“If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address,” according to Symantec. “The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.”

Once the user opens the unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page. If they fill out the CAPTCHA correctly, they will be sent to the payment page. The price of the ransom is $500 USD, which the hackers threaten to double if they are not paid within four days.  

“CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims,” Symantec explained. “These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.