Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

CryptoDefense Ransomware Support and Help Topic - HOW_DECRYPT.txt


  • Please log in to reply
303 replies to this topic

#1 Fyrebaugh

Fyrebaugh

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Oklahoma
  • Local time:03:28 AM

Posted 18 March 2014 - 12:40 PM

We have put up a FAQ/Guide on CryptoDefense. It can be found here:

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ


-BleepingComputer.com Staff

 

I have a user that two weeks ago got caught with the CryptoLocker virus.  I removed it by editing the registry and tracking down the file it ran, then running Malwarebytes, Spybot, ComboFix, etc, and installed a crypto(B)locker program plus turning on Volume shadow service and starting it automatically.
 
Today they called me back saying that they were re-infected, I get here and it is not the same one, this did not replace the desktop image, references a different tor site, and has a code to get to the tor site.  Calls itself CryptoDefense, Pops up a text box stating what to do and since we have it disconnected from the network states that it cannot get to the decrypt site.  Has anyone heard of this?
 
I ran the BDAntiCryptoLocker_Release.exe program from Bit Defender and it did not find anything today either.  Trying to remove the virus before copying any files off of the computer, it did not seem to affect access databases, but did get .doc, .xls, .bmp, etc...  On both the local machine and one mapped drive that is required at this time by another computer.  The crypto(B)locker program was installed on the machine with the network share as well.
 
Sincerely,
 
Fyrebaugh

BC AdBot (Login to Remove)

 


#2 coolmarve

coolmarve

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 18 March 2014 - 12:43 PM

New variant? Seems like a hybrid cryptolocker....

 

It is called CryptoDefense and it seems/acts just like CryptorBit except it looks like its fully encrypting the files.

 

I had a client that it hit their backup server share and encrypted all of their shadowprotect image backups so I had to pay the ransom.

 

Here is a link to an encrypted txt file and an unencrypted text file in a zip:

http://stevewooton.com/crypto/CryptoDefense.zip

 

 

Here is the HOW_DECRYPT.txt it is saving in every folder with my personal link XXX'd out.

 

All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet;
the server will destroy the key after a month. After that, nobody and never will be able to restore files.

In order to decrypt the files, open your personal page on the site https://rj2bocejarqnpuhm.onion.to/XXX and follow the instructions.

If https://rj2bocejarqnpuhm.onion.to/XXX is not opening, please follow the steps below:

1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/XXX
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.

IMPORTANT INFORMATION:

Your Personal PAGE: https://rj2bocejarqnpuhm.onion.to/XXX
Your Personal PAGE(using TorBrowser): rj2bocejarqnpuhm.onion/XXX
Your Personal CODE(if you open site directly): XXX

 

Here are a couple screenshots:

CryptoDefense.PNG

 

CryptoDefense2.PNG


Edited by coolmarve, 18 March 2014 - 12:51 PM.


#3 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 18 March 2014 - 03:10 PM

New variant? Seems like a hybrid cryptolocker....
 
It is called CryptoDefense and it seems/acts just like CryptorBit except it looks like its fully encrypting the files...HOW_DECRYPT.txt it is saving in every folder

Yes, CryptorBit creates a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted.

A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

There is also a lengthy ongoing discussion in this topic: HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic. Since this infection is so widespread, rather than have everyone start individual topics, it would be best (and more manageable for staff) if you reposted this information in that topic discussion.

Thanks
The BC Staff

Edit: I see you already reposted here.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#4 Fyrebaugh

Fyrebaugh
  • Topic Starter

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Oklahoma
  • Local time:03:28 AM

Posted 18 March 2014 - 03:39 PM

Updates:

 

Malwarebytes found one infection after the problem was reported:

     Trojan.Agent Registry Value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Regedit32     Value: Run|Regedit32"

 

But I was editing the registry at the time and I was in that postion in the registry. I had not yet deleted anything but I was looking at two entries

 

fupygryqukyb     C:\Documents and Settings\<user>\fupygryqukyp.exe

yryno                  C:\Documents and Settings\<user>\Application Data\Tena\yryno.exe

 

yryno.exe would not delete, gave "Access Denied" each time I tried.  When I tried Attrib from a command window, it would fail to remove any settings.

Had to use Unlocker to delete the file even though it found no "triggers" on the file.

 

Puts HOW_DECRYPT.HTML, HOW_DECRYPT.TXT and a shortcut to HOW_DECRYPT.HTML in every folder it has access to.



#5 coolmarve

coolmarve

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 18 March 2014 - 03:45 PM

 

New variant? Seems like a hybrid cryptolocker....
 
It is called CryptoDefense and it seems/acts just like CryptorBit except it looks like its fully encrypting the files...HOW_DECRYPT.txt it is saving in every folder

Yes, CryptorBit creates a HowDecrypt.txt file and a HowDecrypt.gif in every folder that a file was encrypted.

A repository of all current knowledge regarding CryptorBit and HowDecrypt is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptorBit and HowDecrypt Information Guide and FAQ

There is also a lengthy ongoing discussion in this topic: HowDecrypt or CryptorBit Encrypting Ransomware - $500 USD Ransom Topic. Since this infection is so widespread, rather than have everyone start individual topics, it would be best (and more manageable for staff) if you reposted this information in that topic discussion.

Thanks
The BC Staff

Edit: I see you already reposted here.

 

 

Gotcha I posted it there. I am not totally sure if this is a variant of that or cryptolocker. Almost looks like a combination of the two or a new threat all together.



#6 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 18 March 2014 - 03:56 PM

As more information and details come to light we eventually will know for sure. That topic already has a lot of exposure so the info will get out much faster and to a larger audience.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#7 coolmarve

coolmarve

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 18 March 2014 - 05:52 PM

As more information and details come to light we eventually will know for sure. That topic already has a lot of exposure so the info will get out much faster and to a larger audience.

according to several sources this looks like a completely new ransomware not by the makers of cryptolocker or cryptorbit.

 

I will be pulling a ton of info off the source PC tomorrow and posting it up for anyone that is interested. For now I don't have much from the source PC because I had my client unplug it the second I found out where the source of the encrypting was.



#8 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 18 March 2014 - 06:30 PM

Ok. Thanks for the update.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#9 Sonnyk88

Sonnyk88

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 18 March 2014 - 06:34 PM

Hello, guys! I'm new to this forum and I've also been hit by this ransomware. I couldn't believe it. I've done extensive research into this topic and there are a few things to consider. I even wrote a blog with my discoveries but there are many details that I omitted so that I won't warn the crooks to possibly update it.

 

1. Older  variants of Cryptolocker or Bitcrypt create files named "Howdecrypt". This one in particular creates three files named "HOW_DECRYPT" with .txt, -html and .url entensions. (In most -if not all- folders).

2. This one doesn't change the background nor does it show its GUI (That one you see everywhere when you search 'Cryptolocker')

3. This makes exclusive use of https://rj2bocejarqnpuhm.onion.to/ to contact the server. As I couldn't find it on Google until now, I figured out it was new.

4. The crook was even 'gentle' enough to upload a video in Youtube showing you step-by-step how the malware works and to make a payment.

5. Compared to all the previous ransomware I read about (which also make use of onion.to), this one has the 'nicest' GUI around.

6. Contrary to previous variants, this one takes a screenshot of the victims and uploads it to that server.

 

I consider my files lost because I am NOT paying the ransom. If anyone has the executables, please let me know. I have done a lot of research on my own, which I would only share privately in an attempt to avoid warning the creators about their mistakes. I have a blog in which I documented what happened to me. Just imagine how p*ssed off I was... I hope we could do something!

 

If someone has some Malware samples, please let me know. I need to make my further research. Unfortunately, I removed it by mistake with another Antivirus (Avast! Free never detected it btw). 


Edited by Sonnyk88, 18 March 2014 - 06:43 PM.


#10 Sonnyk88

Sonnyk88

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 19 March 2014 - 05:07 AM

Hello again, this is my personal blog in which I explain every single detail I found about this malware. http://howdecrypt.blogspot.com

 

Also, thanks coormarve! The samples your provided were quite useful!

 

Please help me fight these crooks!



#11 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:28 AM

Posted 19 March 2014 - 06:30 AM

I have cleaned up and merged Fyrebaugh's topic into this one.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#12 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:28 AM

Posted 19 March 2014 - 11:32 AM

Been doing a lot of research today on this with DecrypterFixer. Will post a summary topic and FAQ on it soon.

If anyone has any virus samples please submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=166

#13 coolmarve

coolmarve

  •  Avatar image
  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 19 March 2014 - 04:55 PM

Been doing a lot of research today on this with DecrypterFixer. Will post a summary topic and FAQ on it soon.

If anyone has any virus samples please submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=166

 

check your pm

 

also I edit'ed my initial post with an infection sample



#14 Grinler

Grinler

    Lawrence Abrams


  •  Avatar image
  • Admin
  • 45,113 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:28 AM

Posted 19 March 2014 - 07:42 PM

There is a FAQ/Guide to this infection up now. It can be found here:

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

#15 Quads

Quads

  •  Avatar image
  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:28 PM

Posted 19 March 2014 - 09:31 PM

Hmmmm  I don't have a copy of the decrypter.exe, but a thought if lucky,   Is the decrypter system swap-able??  ( transfer from one infected system to another system that is infected, run and decrypt those personal files also,) 

 

may have to tell the decrpter where the files are located..

 

 

I did say if lucky.

 

Quads






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users