Dumb CryptoDefense hackers leave keys on victims' PCs

Scammers' botched encryption leaves victims with key to escape

Stewart Mitchell
1 Apr 2014

The latest Crypto ransomware scam – CryptoDefense – leaves victims with a key to unlock their own PC, according to security researchers.

The aggressive CryptoLocker ransomware appeared last year, locking files on victims' computers and only offering a decryption key in return for payment of a ransom.

The success of the scam – it had infected an estimated 250,000 PCs between September and December last year – has encouraged copycats, with CryptoDefense appearing in February and demanding $500 for a key to unlock files.

According to security firm Symantec, the latest iteration is earning its creators $34,000 a month, but while previous versions have been uncrackable without payment, CryptoDefense includes flaws that could allow victims to escape with payment.

The decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server

"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," said Symantec in a blog.

"With CryptoLocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys," Symantec said. "With CryptoDefense, the attackers had overlooked one important detail: where the private key was stored."

The company said the RSA-2048 encryption was done using Microsoft’s cryptographic infrastructure and Windows APIs to perform the key generation, before sending it back in plain text to the attacker’s server.

"This method means that the decryption key the attackers are holding for ransom actually still remains on the infected computer after transmission to the attackers server," Symantec said.

The security firm said private keys could be found in the folder Application Data > Application Data > Microsoft > Crypto > RSA.

Read more about: