Sunday, December 14, 2014

Getting your your files (and your money) back!

I hate to admit it, buy paying the ransom is the fastest and easiest way to escape. I do not recommend paying the ransom.. but if your files are extremely important to you... here's my advice. Take it or leave it.

I know it sucks to pay the ransom. I understand $500 is a lot of cash for some people, especially for those who live in developing countries. But here's the thing: Bitcoin volatility is really high. Although nobody truly knows if its price is going to go up, down, sideways or in flying circles, bitcoins become more scarce over time by design. As a deflationary currency, its value tends to go up in the long run. I would therefore recommend buying a higher amount of bitcoin than what the crooks request. With the remaining amount, you can recover your money in the long run, either selling your BTCs or using them to buy some products of your interest.



LocalBitcoin is a great website where you can buy BTC in your country. Many estimate that BTC price will increase in the first quarters of 2015, so it's actually a good bet to buy the double of what the crooks request, pay the ransom, and then wait until the BTC price rises once again. You can quickly sell your BTC in this website as well.


Also, the good news is that it might be your entry to the Bitcoin market. So you may take advantage of it as well...


Wednesday, June 11, 2014

Update: CryptoDefense rebranded to CryptoWall

After the fortune they reaped with CryptoDefense, not only did the crooks buy more computers from a botnet. They also rebranded it to 'CryptoWall' and made considerable changes to its website:

+ Multilanguage Support
+ Slight color changes in their website. Now it looks nicer, I confess.
+ Support (You can message them in case you need help) 

- Their English sucks, so I haven't noticed any improvement in this area.

* Ransomware notes are now named as:
  • DECRYPT_INSTRUCTION.txt
  • DECRYPT_INSTRUCTION.html
  • DECRYPT_INSTRUCTION.url
What does it mean to 'buy computers'?

Most computers that were hit by this nasty ransomware had been previosuly infected by a botnet. A botnet is a network of infected computers that can be spied and controlled by their masters (those who own the botnet network). 

These computer programs are usually used to gather users' credentials to home-banking and to perform DDoS attacks on websites, etc. (Yes, you can pay these crooks to bring down your competition's website).

One of their businesses consists of selling a certain number of infected computers so that the buyers can install whatever they want in them. In this case: CryptoDefense/CryptoWall. It's not a big issue for them to sell these computers because most of them are not used for homebanking anyway. So, they remain rather useless. Now, thanks to ransomware, they no longer have to wait until they get a bank account. They just encrypt their files and get paid via Bitcoins.

Is there a chance to get my files without payment?

Maybe, I can't tell. The reason why the first 'lucky' victims that were hit by the earliest version of CryptoDefense could recover their files was because its earliest version had a faulty implementation of CryptoAPI (needed to encrypt your files). 

If someone gets access to their hidden servers that provide the decryption tool and verifies the payments, all keys might be released.

Will they go to jail?

I very much hope so. CryptoLocker author has been identified and charges were pushed against him. CryptoLocker is way smarter than this Kiddo ransomware and the author still got caught. So, let's just be patient.

Is this information useful to you? Write me an email or consider a small donation. Any amount will be greatly appreciated!

If you have the virus samples, you can send them. (Place them inside a .zip / .rar file) and use 'infected' as password.



Sunday, April 13, 2014

It's been awhile

I am glad to announce that we were featured on PCWorld, one of the greatest computer magazines in the world.

My old computer screen is dead, and I am using my phone to reply emails and update this blog. That's why I can't always reply quickly and why I ask for donations. Anyway...

Cryptolocker and CryptoDefense have proven to be a highly profitable business warped around the anonymity of cryptocurrencies and the TOR network. You can expect more of this resurgent type of malware to sweep the Internet and spread as wildfire and, as you are reading this article, someone is writing the next cryptovirus that will enter the scene tomorrow; and I am not joking. The only fireproof measure against these nasty threats is backup using non-rewritable media such as DVD-R's and Blueray disks. Cloud storage such as Dropbox seemed safe at first glance but víctims also reported they have lost their files there.

To make matters even worse, some victims also reported being hit by two cryptoviruses. This means that they had to pay twice to get their files back. Can you imagine what will happen when more of these viruses emerge in the near future? Go figure...

There is little (to say the most) Antivirus software can do once your files have been encrypted simply because removing the malware will not return your data to its original form unless you have the key. So, better be prepared than sorry: Backup tour files.

I'll update this blog soon... Keep in tune!

Thursday, April 3, 2014

CryptoDefense Updated!

Since Symantec reported that the keys are stored on your hard-drive, Crypodefense authors updated their malware: Keys are no longer stored.

Therefore, if you were hit by this malware after March 31, chances are that the only way out is to pay the ransom.

Are you going to let the crooks get away with it? I hope not! Sign the petition to get the NSA and the governments to do something about it.






THESE CROOKS MUST BE PROSECUTED AND GET JAILED!



SIGN THE PETITION

Share that link on Facebook and Twitter. The more people sign, the faster they will respond.

Friday, March 28, 2014

You infected the wrong fool!



Yeah, I recovered all my files. ALL and EACH one of them without paying a PENNY. If that wasn't enough, we are also helping victims to recover their files without payment. 

Dear CryptoDefense Authors, if you are reading this: SCREW YOU. Your awful script kiddie skills led our team of true experts to THWART your evil plans, even though you used state-of-the-art RSA encryption. What a bunch of fools! that's like loosing a football match having Lionel Messi, Cristiano Ronaldo and Xavi on your team.

Next step is to report all your domain names (that you lamely use to infect more and more victims).

Now, if you are a victim, feel free to write us at howdecrypt@gmail.com


Tuesday, March 25, 2014

CryptoDefense: Keys pair stored on disk!

This little detail slipped through their fingers... TOO LATE!

(I actually hid this post when I understood that it might alert the crooks. But SYMANTEC did!)

This is the exact path where your keys are:


Windows XP
C:\Documents and Settings\<USERNAME>\Application Data\Microsoft\Crypto\RSA\S-1-5-2...
Windows 7
X:\Users\<USERNAME>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21...
(X stands for your hard-disk letter, which is commonly C in most computers) 

HEXCMP highlights in red the differences whereas identical bytes remain white.
TCP/IP dumped data is identical to the key found on Disk. 

The private key is encrypted via DPAPI (Data Protection API). There are many RSA keys in that folder though, but you can still find them by sorting these files by date. If you don't remember the date you got infected, see your screenshot at the crook's webpage or search for the oldest HOW_DECRYPT.TXT file in your system.

I'll update this blog soon!