CryptoLocker Has A Competitor That Is Worse: CryptoDefense
As we said before, there is furious competition between cybergangs. Late February 2014 a copycat ransomware competitor to Cryptolocker was released which outdoes CryptoLocker. The malware finds text, picture, video and MS Office files and encrypts these with a strong RSA-2048 key which is practically impossible to undo. Next, it wipes out all Shadow Volume Copies. Ouch.
If an end-user opens the infected attachment, they charge 360 Euro ($U.S. 500) in bitcoin. If the four days deadline passes by, the amount goes to 720 Euro ($U.S. 1,000) but the exchange rates vary wildly.
The malware makes a screenshot of the active screen and uploads this to their Command & Control server. That screenshot appears on the payment page where the victim can upload the bitcoin payments. To reach this page you first need to install the Tor Browser as the payment page is only available via the Tor network.
If the victim does not pay within a month, the private key of the encrypted files will be deleted so that access to the encrypted files is no longer possible. As said before, they are using RSA-2048 encryption so getting the files back is practically impossible if you do not have (very) recent backups.
It appears that this infection is installed through programs that pretend to be flash updates or video players required to view an online video.
CryptoDefense allows you to pay the ransom by sending bitcoins to an address shown in the CryptoDefense Decrypt Service page. The Bitcoin addresses used by CryptoDefense to receive payments are:
You can use this link to see transactions into the wallet and out of the wallet. You can typically tell which payments to this address are from ransom victims as there will be many payments with similar amounts. More at the BleepingComputer site.
It is obvious that this again is a social engineering play and that effective security awareness training will prevent the majority of these cases. This new CryptoDefense does not seem to be a derivative of CryptoLocker as the code is different, pointing to a competing criminal gang.