Wednesday, June 11, 2014

Update: CryptoDefense rebranded to CryptoWall

After the fortune they reaped with CryptoDefense, not only did the crooks buy more computers from a botnet. They also rebranded it to 'CryptoWall' and made considerable changes to its website:

+ Multilanguage Support
+ Slight color changes in their website. Now it looks nicer, I confess.
+ Support (You can message them in case you need help) 

- Their English sucks, so I haven't noticed any improvement in this area.

* Ransomware notes are now named as:
  • DECRYPT_INSTRUCTION.txt
  • DECRYPT_INSTRUCTION.html
  • DECRYPT_INSTRUCTION.url
What does it mean to 'buy computers'?

Most computers that were hit by this nasty ransomware had been previosuly infected by a botnet. A botnet is a network of infected computers that can be spied and controlled by their masters (those who own the botnet network). 

These computer programs are usually used to gather users' credentials to home-banking and to perform DDoS attacks on websites, etc. (Yes, you can pay these crooks to bring down your competition's website).

One of their businesses consists of selling a certain number of infected computers so that the buyers can install whatever they want in them. In this case: CryptoDefense/CryptoWall. It's not a big issue for them to sell these computers because most of them are not used for homebanking anyway. So, they remain rather useless. Now, thanks to ransomware, they no longer have to wait until they get a bank account. They just encrypt their files and get paid via Bitcoins.

Is there a chance to get my files without payment?

Maybe, I can't tell. The reason why the first 'lucky' victims that were hit by the earliest version of CryptoDefense could recover their files was because its earliest version had a faulty implementation of CryptoAPI (needed to encrypt your files). 

If someone gets access to their hidden servers that provide the decryption tool and verifies the payments, all keys might be released.

Will they go to jail?

I very much hope so. CryptoLocker author has been identified and charges were pushed against him. CryptoLocker is way smarter than this Kiddo ransomware and the author still got caught. So, let's just be patient.

Is this information useful to you? Write me an email or consider a small donation. Any amount will be greatly appreciated!

If you have the virus samples, you can send them. (Place them inside a .zip / .rar file) and use 'infected' as password.

Getting your money back (Economics)

I know it sucks to pay the ransom. I understand $500 is a lot of cash for some people, especially for those who live in developing countries. But here's the thing: Bitcoin volatility is really high. Although noone truely knows if its price is going to go up, down, sideways or in flying circles, bitcoins become more scarce over time. As a deflationary currency, its value tends to go up in the long run. I would therefore recommend buying a higher amount of bitcoin than what the crooks request. With the remaining amount, you may recover your money over time, either selling your BTCs or using them to buy some products of your interest.


Coindesk has a daily chart which shows BTC prices over time, it's worth to take a look at.

Sunday, April 13, 2014

It's been awhile

I am glad to announce that we were featured on PCWorld, one of the greatest computer magazines in the world.

My old computer screen is dead, and I am using my phone to reply emails and update this blog. That's why I can't always reply quickly and why I ask for donations. Anyway...

Cryptolocker and CryptoDefense have proven to be a highly profitable business warped around the anonymity of cryptocurrencies and the TOR network. You can expect more of this resurgent type of malware to sweep the Internet and spread as wildfire and, as you are reading this article, someone is writing the next cryptovirus that will enter the scene tomorrow; and I am not joking. The only fireproof measure against these nasty threats is backup using non-rewritable media such as DVD-R's and Blueray disks. Cloud storage such as Dropbox seemed safe at first glance but víctims also reported they have lost their files there.

To make matters even worse, some victims also reported being hit by two cryptoviruses. This means that they had to pay twice to get their files back. Can you imagine what will happen when more of these viruses emerge in the near future? Go figure...

There is little (to say the most) Antivirus software can do once your files have been encrypted simply because removing the malware will not return your data to its original form unless you have the key. So, better be prepared than sorry: Backup tour files.

I'll update this blog soon... Keep in tune!

Thursday, April 3, 2014

CryptoDefense Updated!

Since Symantec reported that the keys are stored on your hard-drive, Crypodefense authors updated their malware: Keys are no longer stored.

Therefore, if you were hit by this malware after March 31, chances are that the only way out is to pay the ransom.

Are you going to let the crooks get away with it? I hope not! Sign the petition to get the NSA and the governments to do something about it.






THESE CROOKS MUST BE PROSECUTED AND GET JAILED!



SIGN THE PETITION

Share that link on Facebook and Twitter. The more people sign, the faster they will respond.

Friday, March 28, 2014

You infected the wrong fool!



Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY. If that wasn't enough, we are also helping victims to recover their files without payment. 

Dear CryptoDefense Authors, if you are reading this: SCREW YOU. Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team.

Next step is to report all your domain names (that you lamely use to infect more and more victims).

Now, if you are a victim, feel free to write us at howdecrypt@gmail.com


Tuesday, March 25, 2014

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE!

(I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!)

This is the exact path where your keys are:


Windows XP
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2...
Windows 7
X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21...
(X stands for your hard-disk letter, which is commonly C in most computers) 

HEXCMP highlights in red the differences whereas identical bytes remain white.
TCP/IP dumped data is identical to the key found on Disk. 

The private key is encrypted via DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system.

I'll update this blog soon!



Monday, March 24, 2014

Working backwards to the seeds! (OUTDATED)


Note: 
This article is technically accurate and it can be applied to rudimentary RSA implementations that only use time retrieval functions as seed as demonstrated by CS Students from Virginia University
However, CryptoDefense uses CrytoAPI which uses a robust PRNG based on process ID, thread ID,  system clock, system time, system counter, memory status, free disk clusters, etc. I dramatically changed the keys recovery approach as soon as I found out the keys were stored on disk.  Why keep this article then? Oh, we wanted the crooks to think we were down the wrong path ;)

Do NOT use somebody else's decryption program!
The reason why each key is unique and why you can't use somebody else's decryption program is because this ransomware randomly generates the keys for each victim. If there was a unique private key for everyone, there would be no need to panic!

But the is a problem...

Software alone is technically incapable of generating random numbers in its truest sense. This explains why the concepts of pseudorandom numbers generation (PRNG) and true random number generation (TRNG) exist and radically differ in the fields of computer science. The second is only -and better- securely employed through specialized hardware, which is not built-in in most desktop and laptop computers in the general consumer market. For the first one, however a strong random number generation algorithm is essential throughout the entire process of public key cryptography. 


Most PRNG's use the system clock as parameter (seed) to generate the pair of keys, and this is evident due the use of GetTickCountQueryPerformanceCounter and GetSystemTimeAsFileTime found in the executable samples of this malware.

For example, TrueCrypt  (a disk encryption program) significantly circumvents the boundaries of Software PRNG by prompting the user to aimlessly move the mouse around the screen and to type any keys in the keyboard in the meanwhile during key generation. This well-recognized Open Source Software highlights the importance of secure PRNGs.
[See Official Documentation]


This pretty much emulates TRNG to considerable degree of cryptographic security.

Crypto Defense Ransomware does not meet this security criteria; not only because its deterministic PRNG is predictable, but rather because it generates a text file ("HOW_DECRYPT.TXT") shortly after it encrypts the first directory it finds during execution. This file's time stamp betrays fundamental information that potentially exposes the key generation phase to timing attacks that can be executed within a computationally reasonable amount of time. (Outdated)

It's important to note that this project does not seek to attack the (yet) undisputed mathematical strength of the RSA-2048 algorithm, instead it exploits its PRNG with essential seed parameters that are known in order to reduce the key-space in which the brute-force software will operate to manageable calculable levels.(Under development)

Testing the Malware (Timing)
* Where does the Key Generation take place?

1. 11:27:25 (00 seconds)
The precise execution time, which is often found in the following registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist]
2. 11:27:45 (20 seconds)
First TCP connection to the Control Server is retrieved via a TCP/IP Sniffer
3. 11:27:48 (23 seconds)
Locally generated Private Key is SENT. (Again: TCP/IP Sniffer)
4. 11:27:51 (26 seconds)
First HOW_DECRYPT file is created.


Maximum Time Range (from 1 to 4): 
26 seconds (26,000 milliseconds)

Removing File Timestamp date (leaves 3-4)
(HOW_DECRYPT can't logically exist without the keys)
Reduces the workload by 3 seconds = (3,000 microseconds)

Note: This test was thoroughly run inside a Virtual Computer on Windows 7 64-bits edition. The Host computer's CPU is an Intel i7-4770. Thus the aforementioned procedures would be executed in less time, further reducing the time space to start brute-forcing. 


RSA-2048 benchmarks from http://bench.cr.yp.to/
(Click to enlarge)

And based on these benchmarks, it takes a Intel(R) Core(TM) i7-2637M CPU 9.98 seconds to generate a key.


Doing 1024 bit private rsa's for 10s: 39652 1024 bit private RSA's in 9.98s
Doing 1024 bit public rsa's for 10s: 607674 1024 bit public RSA's in 9.98s
Doing 2048 bit private rsa's for 10s: 5544 2048 bit private RSA's in 9.98s
Doing 2048 bit public rsa's for 10s: 179596 2048 bit public RSA's in 9.98s


These two sites will give you an rough idea about how long your CPU would need to generate RSA-2048 keys. I said 'rough' mainly because interpreted languages runs slower than machine code: 
1. http://ats.oka.nu/titaniumcore/js/crypto/RSA.sample1.html  
2. http://travistidwell.com/jsencrypt/demo/


Based on these time measurements, it all indicates that the keys are generated before the second connection with the control server is established [11:27:45]. Otherwise the timelines would illogically overlap onto each other.
Now we can rule out the two last stages. This by itself reduces our brute-force framework by at least 6 seconds (6,000 milliseconds) leaving just 20 seconds work for the cracker. 

This is good news, because between stage 2 and 3, additional seeding from the server might have potentially occurred, thwarting our efforts to brute-force the key within manageable levels. (Uploading .RAW TCP/IP data soon). 


Additionally, we only need to generate the public key given the mechanics of this cracker. Not only does it generate faster (on some processors), it also serves the purpose of encrypting original file samples whose results will be later compared with the encrypted sample. 


Fortunately, this was just a challenge response authentication. Further Replay Attacks will confirm this information.

To generate the Private and Public Keys Pair, it takes 10 seconds each. 
(On Intel(R) Core(TM) i7-2637M).



Way to go!

Now, let's set up the CryptoDefense Cracker execution flow and let's check the requirements to start cracking the PRNG seeds:

Parameters needed

1. Oldest HOW_DECRYPT time stamp.
Can be found by searching HOW_DECRYPT in the entire system and them sorting the results by Date. 
2. A small file that was never encrypted. The smaller, the faster it will go through the cracker.
One can easily find them inside any ZIP or .RAR file that was uncompressed into a folder, leaving the compressed backup intact.
3. The encrypted file version (point 2).
This file is required to compare the previous encrypted file with the output. Once the CryptoDefense Cracker finds a match: KEY FOUND!

Hardware needed:

Now, this is where it all becomes hard though not impossible.  Using the Intel  i7-2637M, we can calculate one key every 10 seconds (Remember we only need to generate the public key). This multiplies per millisecond (10,000). Which results in 100,000 seconds, i.e: 1666 minutes or 27 hours.


That is 166 minutes and roughly 2:45:00 

Is this over? NOT YET!

We still have to process the SAMPLE FILE with the ENCRYPTED FILE through the cracker using the generated keys and then compare the results. This is completely relative to the file size and other factors. Currently, I can not yet make time estimates though it would undoubtedly increase the amount of time needed per test.

Last but not least: The QueryPerformanceCounter API can retrieve the current time in up to microseconds and even nanoseconds resolution .If this is the case, the aforementioned estimates would multiply by 1000. That is about 2776 hours or 115 days. Those 2776 hours would multiply again by 1000 if microseconds were used:  2,766,666 hours = 115,277 days or 320 years only to generate the public key! (On one Intel(R) Core(TM) i7-2637M)

In such case, we plan to use OpenCL and CUDA in order to use GPUs (which are way faster than CPU performing parallel tasks) to further accelerate the cracking process. If it isn't fast enough, we may also add a distributed computing module, so that many computers can work together to crack a group of keys within a manageable amount of time.

Saturday, March 22, 2014

Good News (part 2)

Hey guys! After some -lot of- research and reverse-engineering, I decided to create a video which explains how to recover the private keys via a sniffer.

Mind you, in some countries (United States and the United Kingdom and some countries in the European Union), ISPs are requested by law to retain data for over a year or so. Therefore, the authorities are able to retrieve the information (metadata) you sent and received anytime, including the day you got infected. It isn't hard for them to do, but that of course implies a long judicial process. Instead of paying the crooks, try to get in touch with the police and point out the existence of this law.

I am also working on a program to to brute-force the key based on parameters found inside the victim's computer which I won't disclose right now. It appears that although the 2048 bits is certainly strong, they used a weak seeding which is quite simple and a brute-force attack can be performed within an manageable range of parameters, not from 0 to quasi-infinitum (that would take years without any known parameters). Also, I plan to use OpenCL and CUDA in order to use GPUs (which are way faster than CPU performing parallel tasks) to speed up the process. If it isn't fast enough, I may also add a distributed computing module, so that many computers can work together to crack a group of keys. I'm quite confident guys! Just give me some time!...

Friday, March 21, 2014

Good news!


ONLY FOR THOSE INFECTED WITH 'CRYPTODEFENSE' MALWARE.

I've found a weakness in the malware samples which would allow me to regenerate the private key! . Now it'd be possible to recover files without paying the crooks a penny (though it's not as easy as it sounds). I won't comment any further as I don't want to alert the cyber-crooks.

Sunday, March 16, 2014

Cryptodefense: Malware Analysis & Reverse-Engineering

I've been a computer geek for ages and here are my conclusions. I've been gathering as much information as I could during these days, and there are many variants of Ramsomware from apparently different authors. Some of them do not completely encrypt your files, except their first 512 bytes by which it's possible to decrypt with an easy-to-use tool voluntarily made by BleepingComputer programmers [Link]. There's another variant that entirely encrypts your files but, due to a failure in its design, it uses a much weaker 128 bits encryption instead which can be easily broken a standard computer in a matter of hours. [Link]

Then there's the newest, known as CryptoDefense that completely encrypts your files.

If you were unlucky enough to get in contact with the latter and if you want some more technical information about it, here's my analysis. 

1. Encrypted File Samples:



HEXCMP comes visually effective when comparing two binary files. These two encrypted files belong to two different computers that were hit by the exact same malware. As you can see, the first  !.c.r.y.p.t.e.d.!... string is the same in both files, except for the HASH-looking 32 characters string that goes after it. Is it perhaps MD5? If so, what is the purpose of using a HASH in each file? 

Note: It seems that the encrypted file data starts at address (decimal) 86

I first thought it was a checksum used to verify files' integrity after decryption until I found out the hash remains the same in every single encrypted file. The two files in the image belong to different victims but they have the same HASH in every single encrypted file. 

Coincidentally, the crooks' website that allows you to test-decrypt one file is able to tell whether the file you upload belongs to you or not.



Let's make some experimentation!

So, what happens if you upload someone else's file into the server?
Error reads: "You uploaded don't own file"

Interesting... How does their server determine whether it is your file or not? The answer seems to be in the mentioned hash string.

Now, what happens when you upload a random file? (ANY file)


Error reads: "CryptoDefense can not identify the encryption algorithm."
Error reads: "Unknown error"

How about tricking their server?

If we take a look at the crook's video on YouTube, he shows you how his own files are encrypted. This exposes something interesting...
The crook shows you an encrypted .txt file

Now, the first file (from someone else) we uploaded got rejected with "You uploaded don't own file". 

Now let's see what happens if we visit the server with '2g' ID and a corresponding HASH-looking string? Both the ID and the HASH-string are related after all, right? Let's find it out....

Here, we copy the HASH-looking data from the video...


At least I expect to get the webserver to decrypt the file, even if I end up with a corrupted file decrypted with the wrong key. Let's see...

Error reads: "Error while decrypting file"
Aha! that looks interesting. It did accept the file this time, but it seems that it knows whether decryption is right or not. Let's see now what happens if we change just ONE character from the file we recently uploaded:

Yet again the same error. It's official. The HASH string is used by the website to identify victim's ownership.


Now how does it determine whether the decryption is correct or not?

[To be continued, I am working on this. There seems to be -there must be- a checksum or something. To find it out, we need the executable files that decrypt the victim's data... ]


What is the server's (TOR'd) link again? 

It's https://rj2bocejarqnpuhm.onion.to/XXX where X is the ID of the victims. Now, if you start playing around with that ID, you will see the screen of many victims. 


Remember that the crooks uploaded a video in YouTube? 

Then he shows you his VICTIM'S ID: 2g
If you carefully watch it, you will notice that his ID is only 2 characters long (as opposed to other victims which is 3 chars long) which means his own infected machine (a Virtual Machine for sure) is one of the first ones in their database. 

If you add '?getpic' to the link, example:
https://rj2bocejarqnpuhm.onion.to/XXX?getpic, you will directly see the screenshot (after solving a CAPTCHA). Once you start playing around with screenshots, you will notice the following patterns:






Saturday, March 15, 2014

Welcome to the "Decrypt Service"

Doesn't that sound way too brandy? Like those smiling guys from -let's suppose- Big Bob's Repair Service 24 Hours you see when you crash your car in the middle of the road? They sure become handy in situations like this, but Damn! Big Bob's guys did not destroy your car in the first place! That's like stabbing you in the neck and later offer you a medical service. WHAT?!

Anyway... The Decrypt Service is the server, the webpage that will provide you with the program you need to decrypt your files back to their original form (after payment). This server is hidden behind Onion.to, which means it's horrendously difficult to trace. Maybe their server is in Russia, China or even your at your neighbor's. One can't really tell because Onion.to creates a chain of randomly chosen computers as a path to the final server. This chain-route can go from Miami to Russia, then to Australia, then back to Miami and then finally to the crook's server.

The Onion.to address they use (at least one of them) is: https://rj2bocejarqnpuhm.onion.to/*** where three dumb alphanumeric characters are used to identify the victims.  When you visit that link, this is what you see:



So, you fill the blanks with the code in the image (CAPTCHA) and proceed to the REPAIR.. oh, sorry DECRYPT SERVICE... Thanks God!




So, what if you don't really believe in this site? What if that page content is FAKE and not about your computer? Oh, well there you have "My Screen" section, in which you can see YOUR ACTUAL COMPUTER SCREEN!




Isn't that enough? Well, then there you have the Test Decrypt section where you can upload just one small file (only once) and get it decrypted in order to check the "service" works.


The crooks...under the name of Victor Yanukovich also uploaded a video to YouTube that clearly shows you this shit is 100% REAL. 



He is also gentle enough to show you step by step how to pay for his "SERVICE".


Your files got encrypted by a RANSOMWARE!

On March 14, 2014 I got infected by a ransomware, a malicious program that encrypts your files upon infection and demands a payment in order to recover your files. This particular malware called CryptoDefense creates the following files after it has encrypted all your videos, music and documents: "HOW_DECRYPT.TXT", "HOW_DECRYPT.HTML" and "HOW_DECRYPT.URL" hence the name of this blog. 


Screenshot of files on Windows 7


The text in these files reads:


All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. 
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site https://*************.onion.to/**** and follow the instructions.
If https://***********.onion.to/**** is not opening, please follow the steps below: 
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
  
2. After installation, run the browser and enter the address: ***************.onion/***. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files. 
IMPORTANT INFORMATION:
Your Personal PAGE: https://************m.onion.to/***Your Personal PAGE(using TorBrowser): ***********.onion/***Your Personal CODE(if you open site directly): ****

Damn!

As you probably figured out, if you have seen this on your computer, you are screwed up unless you are willing to pay the ransom they ask for (around $300 dollars) in order to receive the program that restores your files their so-called Decryption Service.
But guess what, based on many victim's reports, not all of them were lucky enough to receive it after payment. So, it's up to you to pay for your beloved data or not (personally, I wouldn't. SCREW THEM!).

Can I somehow crack/get the decryption private key without paying?

No, the computational power required to crack/brute-force a 2048 bit key in less than thousands of years is currently unavailable (and unimaginable) at least for today's technological standards. Even for those super-computers used in biomolecular research and weather forecast. However, I've found vulnerabilities in the Malware itself, not in its RSA2048 algorithm, rather in its faulty implementation. 

Just to give you an idea: Julian Assange (Wikileaks founder and author) encrypted a 21% of that mega-archi-controversial Wikileaks file with a comparatively small AES 256 bits key as an insurance. Insurance? you may wonder. Yes! If something bad were about to happen to him, a handful of his friends who possess the key would publish it and then all those who downloaded the Wikileaks file would finally be able to read beyond the 79% of it. Crazy uh? And it's just 256 bits...

In short: Without the key, you cannot restore your files in this life. Period. 

What about you? What can you do?

First and foremost, update your antivirus and scan your entire system in the search of this malware. If you have no anti-virus or if nothing was found, then download this removal tool from Bit-Defender HERE. At least it will prevent future attacks by this malware.

Hold on a second: Good news!

Use the Cloud! (Dropbox for example)

Upload your pictures, videos and music to a safe storage on the net. These services are run and managed by professionals 24/7. 

Burn DVDs and Bluerays

Regularly back-up your files on these disks. Once they safely land on their surface, no virus in the world can damage them.