Dumb Ransomware Developer leaves Decryption Keys on Infected Computers
So, How do Hackers compromise a Website? Simply by exploiting the flaws in it, that means they took advantage of the error in the developers’ code. Now, this time the hackers itself has left behind a crucial flaw in its malware code which can be exploited by us to help save our computer systems.
Believe me, it’s not an April Fools’ joke! A malicious software program that holds the victims’ computer files hostage by wrapping them with strong encryption until the victim pays a ransom fee to get them decrypted, has a critical flaw in its malware code itself that it leaves the decryption key on the victim’s computer.
The Anti-virus firm Symantec examined a sophisticated malware program dubbed as CryptoDefense(Trojan.Cryptodefense) ransomware, which appeared in the end of the last month.
CryptoDefense is one of the complex malware programs that include a number of effective techniques, including Tor anonymity tool usage and Bitcoin digital currency to extort money from victims. CryptoDefense uses Microsoft’s infrastructure and Windows API to generate the encryption and decryption keys, the antivirus firm wrote on its blog.
CryptoDefense encrypts files using public-key cryptography, a strong RSA 2048 encryption in order to ensure files are held to ransom and transmits the private key in plain text back to the attacker’s server, so that as soon as the ransom amount is paid by the victim, the attacker will release the private keys to decrypt the files.
So, if once the files have been encrypted, without access to the private key, victims will not be able to decrypt the files. But here they stumbled, the CryptoDefense’ developer failed to realize that the private key is also left concealed on the user’s computer in a file folder with application data.
“Due to the attacker’s poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape,” Symantec wrote.
Despite the dumb mistake of the malware developer, it is not sure that it will left the users untouched, because some technical skills is required to figure out the decryption keys.
CryptoDefense is been sent out as spam emails, or masquerade itself as a PDF file and once installed in the system, it attempts to communicate with either of the four domains and uploads a profile of the infected machine, the firm wrote.
The Cyber Criminals demand either $500 or €500 that has to be paid within four days and if victim doesn't pay the ransom in the given time frame, the ransom doubles itself.
According to the firm, it is estimated that the cybercriminals received more than $34,000 worth of Bitcoin in just a month, which shows the effectiveness of their scam.
Symantec said it has blocked 11,000 unique CryptoDefense ransomware infections in more than 100 countries, with the majority of the infection attempts are noticed in the U.S. followed by the U.K., Canada, Australia, Japan, India, Italy and the Netherlands.