Cryptolocker malware (Trojan.Cryptolocker) was considered a success by internet criminals. But everything indicates they do not stop there. Malware developers have turned their attention to developing new malware ransomcrypt. The sophisticated CryptoDefense (Trojan.Cryptodefense) is such a malicious software.
The CryptoDefense appeared at the end of February of 2014 and since then Symantec's telemetry shows that the company's software has blocked over 11.000 unique CryptoDefense infections. Using the Bitcoin addresses provided by malware creators to pay for the ransom and looking at the publicly available Bitcoin blockchains information, the company estimates that this malicious software has made cybercriminals more than 34.000 dollars in just one month (depending on the value of Bitcoin at the time of writing).
"Imitation is not only the most sincere form of flattery but also the most sincere form of learning" - George Bernard Shaw.
CryptoDefense, in essence, is an advanced hybrid design that incorporates a number of effective techniques previously used by other malware developers to extract money from the victims. These techniques include the use of Tor and Bitcoins for anonymity, file encryption using RSA 2048 powerful encryption, and the use of pressure tactics such as increased cost threats if ransoms are not paid in a short time. Symantec has noticed that CrytoDefense arrives via e-mail. If someone makes the mistake and opens the file, (usually .PDF) CryptoDefense will be installed on his computer and will immediately attempt to communicate with one of the following remote domains.
As soon as the remote site responds, the malware activates the encryption and sends the private key back to the server. As soon as the remote server confirms receipt of the private decryption key, the malware sends a screenshot of the infected computer desktop to the malicious user. Once it has encrypted the victim files, CryptoDefense creates the following files in each folder that contains encrypted files: HOW_DECRYPT.TXT HOW_DECRYPT.HTML HOW_DECRYPT.URL If the victim is unfamiliar with the Tor network, they provide further instructions on how to download a Tor browser and enter the unique Tor address to go to the payment website. The use of the Tor network hides the location of the website and provides anonymity to the attacker. Once the user opens the unique personal payment page, and "deposits" the ransom, he will receive the unique decryption key. It is worth noting that the ransom demanded by the malware developers is around $ 500 and must be paid within four days otherwise the price doubles. The use of this tactic of time pressure by cybercriminals gives victims less time to react.