A ransomware campaign has paid off big time for whoever is behind a spate of CryptoDefense infections during the past month.
According to Symantec’s Security Response Team, the malware’s authors may have raked more than $34,000 since it appeared on the scene in late February. The estimate is based on the Bitcoin addresses provided by the malware authors for payment of the ransom and an examination of the publicly-available Bitcoin blockchain information.
But despite its success, the malware has a flaw that may provide victims the key to beating the attackers at their own game.
“As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer,” according to Symantec’s Security Response Team. “This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server.”
When using Microsoft’s cryptography infrastructure, the private keys are stored in the following location: %UserProfile%Application DataMicrosoftCryptoRSA.
“Due to the attackers’ poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape,” Symantec noted.
The malware is being spammed out and distributed via malicious PDF files. The majority of the infections Symantec has detected are in the United States, with the U.K., Canada, Australia and a number of other countries also being sites of infections. When first executed, CryptoDefense attempts to communicate with one of the following: machetesraka.com, markizasamvel.com, armianazerbaijan.com and allseasonsnursery.com.
The initial communication contains a profile of the infected machine. Once a reply is received from the remote location, the malware initiates the encryption and transmits the private key back to the server. After the remote server confirms the recipient of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location, according to Symantec.
Once the files are encrypted, the malware creates ransom-demand files in every folder containing encrypted files. The malware authors are using the Tor network for payment of the ransom.
“If victims are not familiar with what the Tor network is, they even go as far as providing instructions on how to download a Tor-ready browser and enter the unique Tor payment Web page address,” according to Symantec. “The use of the Tor network conceals the website’s location and provides anonymity and resistance to take down efforts. Other similar threats, such as Cryptorbit (Trojan.Nymaim.B), have used this tactic in the past.”
Once the user opens the unique personal page provided in the ransom demand using the Tor Browser, they will be presented with a CAPTCHA page. If they fill out the CAPTCHA correctly, they will be sent to the payment page. The price of the ransom is $500 USD, which the hackers threaten to double if they are not paid within four days.
“CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims,” Symantec explained. “These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.”