|08 Apr 2014||#1|
| || |
CryptoDefense: The story of insecure ransomware keys and...
CryptoDefense: The story of insecure ransomware keys and self-serving bloggers
The past week has been particularly eventful for the Emsisoft Malware Research team. It all started about 2 weeks ago, when we received reports of a new ransomware from our friends over at BleepingComputer. A considerable amount of users reported that their files had been encrypted and that all that was left on their system was the following ransom note:
The self-proclaimed name of the culprit? CryptoDefense.
To the attentive reader the name CryptoDefense may look quite familiar, as it sounds suspiciously similar to the infamous CryptoLocker ransomware that has been active since late last year. Like CryptoLocker, CryptoDefense also spreads mostly through spam email campaigns, and it also claims to use RSA with 2048 bit keys to encrypt the userís files. Like CryptoLocker, CryptoDefense also claims that encrypted files canít possibly be decrypted; but unlike CryptoLocker this claim was not initially true.
One of the key differences between CryptoDefense and CryptoLocker is the fact that CryptoLocker generates its RSA key pair on the command and control server. CryptoDefense, on the other hand, uses the Windows CryptoAPI to generate the key pair on the userís system. Now, this wouldnít make too much of a difference if it wasnít for some little known and poorly documented quirks of the Windows CryptoAPI. One of those quirks is that if you arenít careful, it will create local copies of the RSA keys your program works with. Whoever created CryptoDefense clearly wasnít aware of this behavior, and so, unbeknownst to them, the key to unlock an infected userís files was actually kept on the userís system.
|My System Specs|
|Similar help and support threads for2: CryptoDefense: The story of insecure ransomware keys and...|
|Is IE6 insecure?||Browsers & Mail|
|Gen Y: The insecure generation?||Security News|
|Firefox Extension Allows Anyone to Steal Logins over Insecure Networks||System Security|
|Mozilla/Foxfire - Insecure Java Plugin in Firefox||System Security|
|MSXML 4.0 insecure after install of pre-RTM build||Software|
|Our Sites ||Site Links ||About Us ||Find Us |
© Designer Media Ltd
All times are GMT -5. The time now is 09:18 PM.