Cryptolocker malware (Trojan.Cryptolocker) was considered a success by cybercriminals. But everything shows that they do not stop there. The developers malware have been turning their attention to developing new ransomcrypt malware. The sophisticated CryptoDefense (Trojan.Cryptodefense) is such a malicious software.
The CryptoDefense appeared at the end of February of 2014 and since then Symantec's telemetry shows that the company's software has blocked over 11.000 unique CryptoDefense infections. Using the Bitcoin addresses provided by malware creators to pay for the ransom and looking at the publicly available Bitcoin blockchains information, the company estimates that this malicious software has made cybercriminals more than 34.000 dollars in just one month (depending on the value of Bitcoin at the time of writing).
"Imitation is not only the most sincere form of flattery but also the most sincere form of learning" - George Bernard Shaw.
CryptoDefense, in essence, is an advanced hybrid design that incorporates a number of effective techniques previously used by other malware developers to extract money from the victims. These techniques include the use of Tor and Bitcoins for anonymity, file encryption using RSA 2048 powerful encryption, and the use of pressure tactics such as increased cost threats if ransoms are not paid in a short time. Symantec has noticed that CrytoDefense arrives via e-mail. If someone makes the mistake and opens the file, (usually .PDF) CryptoDefense will be installed on his computer and will immediately attempt to communicate with one of the following remote domains. Once the remote site responds, the malware enables encryption and sends the private key back to the server. Once the remote server confirms receipt of the private decryption key, the malware sends a screenshot της επιφάνειας εργασίας του μολυσμένου υπολογιστή, στον κακόβουλο χρήστη. Μόλις κρυπτογραφήσει τα αρχεία του θύματος, το CryptoDefense δημιουργεί τα ακόλουθα αρχεία σε κάθε φάκελο που περιέχει κρυπτογραφημένα αρχεία: HOW_DECRYPT.TXT HOW_DECRYPT.HTML HOW_DECRYPT.URL Οι συγγραφείς του κακόβουλου λογισμικού χρησιμοποιούν το δίκτυο Tor για την καταβολή των λύτρων. Αν το θύμα δεν είναι εξοικειωμένο με το δίκτυο Tor, παρέχουν περαιτέρω οδηγίες για το πώς να κατεβάσουν ένα Tor browser και πως να πληκτρολογήσουν το μοναδική διεύθυνση Tor για να πάνε στην ιστοσελίδα payments. Using the Tor network hides the website's location and provides anonymity to the attacker. Once the user opens the unique personal payment page, and "deposits" the ransom they will receive the unique decryption key. It is worth noting that the ransom demanded by the malware developers is around 500 dollars and must be paid within four days or the price is doubled. Cybercriminals' use of this time pressure tactic gives victims less time to react.