Update! Ransomeware mal 4

US-Justizministerium: Angriffe durch Ransomware haben sich im vergangenen Jahr vervierfacht.

Laut dem US-Justizministerium greift die Ransomware immer weiter um sich. Angeblich werden am Tag 4.000 Computer infiziert. Das FBI schätzt derweil den durch Ransomware entstandenen Schaden auf 200 Millionen Dollar. Immerhin gibt es für manche Betroffene Hilfe.

Falls Ihr Computer in diesen Tagen beginnt, ein Windows-Update auszuführen, sollten Sie sicherheitshalber den Stecker ziehen. Denn eine der neusten Inkarnationen der Ransomware tarnt sich als Windows-Updater.

Eine Datei namens criticalupdate01.exe wird über E-Mails auf einen Rechner geschleust und bittet dann um Ausführung, um das Windows-Update durchzuführen. Wer die Ausführung gestattet, muss zusehen, wie die Ransomware Fantom die eigenen Dateien mit AES-128 und RAS verschlüsselt werden – und das Programm Bitcoins sehen will, um die Dateien wieder zu entschlüsseln.

Ransomware ist ein wenig die Plage des Internets im Jahr 2016. Sie ist die harte Art, zu lernen, dass man Anhänge von E-Mails nur öffnen sollte, wenn man den Sender wirklich kennt, und dass ein Backup von Daten kein Privatvergnügen der Paranoiden ist, sondern eine Notwendigkeit.

Quelle: https://bitcoinblog.de/2016/08/30/us-justizministerium-angriffe-durch-ransomware-haben-sich-im-vergangenen-jahr-vervierfacht/

Prevention: User OpenDNS on all your routers. DO NOT CONNECT THE MOST VITAL PARTS OF THE COMPANY TO THE INTERNET. OpenDNSAd „we wanted it that way“ – a lot of companies are completely dependant on digital services and computers in general. “wir haben es so gewollt” – viele betriebe haben sich komplett von der digitalen welt abhängig gemacht. these services can be taken as hostages. just as bankers used the „too big to fail“ argument to take the money-system as a hostage and threaten to let it fail… so the states paid. wir sind erpressbar geworden. large_CryptoDefense wenn der hacker rein kommt… und deine dateien verschlüsselt… und ein lösegeld verlang damit du wieder an deine dateien kommst… dann ist das…. perverse idiotie… nicht nur vom hacker… sondern von der menschheit als ganzes. shall we give into this shit? NO! “CryptoDefense also spreads mostly through spam email campaigns, and it also claims to use RSA with 2048 bit keys to encrypt the user’s files.” http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/ join the discussion, i hope the community can work out an solution to this latest computer-abuse of the most evil sort: http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/ someone made a good start: http://howdecrypt.blogspot.de/ skype: Sonny_k88 mail: howdecrypt@gmail.com CryptoDefense Keys Recovery_(720p) https://www.youtube.com/watch?v=1E8uQtVu5CE

Dear Fabian Please, please, please, please help me… I got infected on 12/04/2014 and your decrypt software didn’t work for me. I’m working in a company in iran and I lost all of my very important data and the company want to fine me bout 2,400 USD. I am ready to pay the author of the maleware the 500 USD but because sanctions, I can’t pay from IRAN. please help me if you can. Unfortunately i have no backup of my computer and there is no restore point available. It would be a disaster for me to be fined and leave my job. again I tel you: Please help me. there are also 4 files with different name in the key directory but I don’t know if they work or not. source: http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/

CryptoDefense Ransomware Worse Than CryptoLocker, Cyber Firm SaysBy: Homeland Security Today Staff

04/03/2014 (10:03am)

A new ransomware called CryptoDefense — a copycat  competitor to CryptoLocker – which was released into cyberspace in late February “is much worse than the original,” KnowBe4 CEO Stu Sjouwerman said Thursday in issuing an alert warning  computer users of the new ransomware.

CryptoDefense  targets text, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key which is hard to undo, KnowBe4 said, adding, “It also wipes out Shadow Copies which are used by many backup programs.

“The potential for damage is vast, generating tens of thousands per month, according to reports from Symantec,” KnowBe4 said in its announcement Thursday. “If an end-user opens the infected attachment, the ransomware encrypts its target files, and the criminals charge $500 in Bitcoin to decrypt the files. If their four-day deadline passes by, the amount goes up to $1,000. After a month, the keys are destroyed.

“There is furious competition between cybergangs,” Sjouwerman said. “They did their test-marketing in countries like the UK, Canada and Australia, and are now targeting the US. CryptoDefense doesn’t seem to be a derivative of CryptoLocker, as the code is completely different, confirming this is a competing criminal gang.”


KnowBe4 said “It appears that this infection initially was installed through programs that pretend to be flash updates or video players required to view an online video. Then it moved on to a variety of different phishing attacks that show an email with a zip file directing to ‘open the attached document’ that was supposed to have been ‘scanned and sent to you.’”

Figure1_9.png Figure 1. Malicious spam email example Network communications When first executed, CryptoDefense attempts to communicate with one of the following remote locations:

  • machetesraka.com
  • markizasamvel.com
  • armianazerbaijan.com
  • allseasonsnursery.com

“It is obvious that this is a social engineering ploy and that effective security awareness training will prevent someone from opening these infected attachments when they make it through the filters (which they regularly do),” Sjouwerman said. “Training your end-users to prevent fires like this is a must these days. Once infected, the only way to fix this relatively fast is to make sure you have a recent backup of the files which actually can be restored. Even then, it can take several hours to restore the data.”

According to KnowBe4, recent ransomware infections involved users opening an attachment with a „voice mail message“ from AT&T, but that there also are variants from other Telco companies. Users then admit to opening the attachment but saying it did nothing, however they could not open their files afterward.

This new CryptoDefense ransomware Malware has bugs too. Symantec researchers said that „Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape.”

Editor’s note: Read KnowBe4 CEO Stu Sjouwerman’s report, “Corporate Cybersecurity Issues Aren’t Impossible to Solve,” in the current edition of Homeland Security Today.

source: http://www.hstoday.us/industry-news/general/single-article/cryptodefense-ransomware-worse-than-cryptolocker-cyber-firm-says/11d6d183a63430594b16a223e3e113f0.html

IDG News Service – A malicious software program that encrypts a person’s files until a ransom is paid has a crucial error: it leaves the decryption key on the victim’s computer.

Symantec analyzed a program called CryptoDefense, which appeared late last month. It’s one of an extensive family of malware programs that scramble a person’s files until a pricey ransom is paid, a long-running but still profitable scam. CryptoDefense uses Microsoft’s infrastructure and Windows API to generate the encryption and decryption keys, Symantec wrote on its blog. Files are encrypted by CryptoDefense using a 2048-bit RSA key. The private key needed to decrypt the content is sent back to the attacker’s server until the ransom is paid. But CryptoDefense’s developers apparently did not realize that the private key is also stashed on the user’s computer in a file folder with application data. „Due to the attacker’s poor implementation of the cryptographic functionality they have quite literally left their hostages with a key to escape,“ Symantec wrote. The decryption key may have been left under the door mat, but it’s doubtful an average user infected with CryptoDefense would have the technical skills to figure it out. CryptoDefense has been seen sent out in spam messages, masquerading as a PDF document. If a user installs it, the malware tries to communicate with four domains and uploads a profile of the infected machine, Symantec wrote. It then encrypts files, inserting an additional file in folders with encrypted ones with instructions for how to free the files. The attackers have created a „hidden“ website to receive payments using the TOR (The Onion Router) network, an anonymity tool. TOR offers users a greater degree of privacy when browsing the Internet by routing encrypted traffic between a user and a website through a network of worldwide servers. TOR can also be used to host websites on a hidden network that can only be viewed through a web browser configured to use it. The extortionists demand either US$500 or a!500 within four days. If the victim doesn’t pay in that time frame, the ransom doubles. Since the ransom is payable in bitcoin, Symantec looked at the virtual currency’s public ledger, called the blockchain, to see how many bitcoins have flowed into their coffers. The company estimated the cybercriminals received more than $34,000 worth of bitcoin in just a month, showing the effectiveness of their scam. Symantec said it has blocked 11,000 CryptoDefense infections in more than 100 countries, with the majority of those infection attempts in the U.S., followed by the U.K., Canada, Australia, Japan, India, Italy and the Netherlands. source: https://www.computerworld.com/s/article/9247348/CryptoDefense_ransomware_leaves_decryption_key_accessible links: http://www.pcworld.com/article/2142180/stung-by-fileencrypting-malware-researchers-fight-back.html

More screenshots on this topic: there seems currently no antidote against this? FBI-NSA-CIA stop drone-killing innocent-random people in Afghanistan and focus on helping people with those virus problems! CryptoOffense.exe_key_not_found http://www.symantec.com/connect/blogs/cryptodefense-cryptolocker-imitator-makes-over-34000-one-month


the virus seems to spread via e-mail attachments. the mails are professionally facked… the sender adress -> @ups.com! nice one. hot all hosts allow this. professional virus mail faking ups.com sender   i just got an e-mail that i suspect of having such an virus: ( i am not 100% shure ) evilMail_fullHeaders_invoice.8813544.exe.txt.tar (which was identified by sophos as Mal/DrodZp-A)

attachment: (renamed from .exe to .exe_ to prevent execution by accident) invoice.992110098323.exe_ here is another one: evilMail.txt.tar which was identified by sophos as Troj/Wonton-CR) i compared the attachments… and one clearly see similarities… but also how there are certain characters randomized to avoid virus scan detection. that’s like HIV. attachment_comparison

I offer 300€ to the first one showing me a solution to this problem.

to contact me you can add a comment or click the red text above to send me an e-mail. „Most of the time, major PC users prefer to safeguard their computer and prevent from potential threats with their trusted antivirus. However, even though you have the top antivirus program installed, the CryptoDefense virus still gets through without your consent. You may ask why. I should say there is actually no such thing as perfect protection. Virus is created every day. Such virus like the CryptoDefense is designed to have been changed the code so antivirus can’t keep up. Once executed, CryptoDefense virus can disable your security tool. In such circumstance, manual removal is required.“ http://viruz.hol.es/remove-cryptodefense-scam-how-to-decrypt-your-files-on-pc/ ELM-Soft-Scanner Results:

 Emsisoft Emergency Kit - Version 4.0 Letztes Update: N/A Benutzerkonto: COMPUTERNAMEUsername Scan Einstellungen: Scan Methode: Detail Scan Objekte: Rootkits, Speicher, Traces, C:, D: PUPs-Erkennung: Aus Archiv Scan: An ADS Scan: An Dateitypen-Filter: Aus Erweitertes Caching: An Direkter Festplattenzugriff: Aus Scan Beginn: 29.04.2014 06:33:43 C:Dokumente und EinstellungenUsernameAnwendungsdatensoftonic gefunden: Application.AppInstall (A) C:Dokumente und EinstellungenUsername.UsernameAnwendungsdatensoftonic gefunden: Application.AppInstall (A) C:Programmesoftonic gefunden: Application.AppInstall (A) C:Dokumente und EinstellungenUsername.UsernameAnwendungsdatenMozillaFirefoxProfilessjodvpjt.defaultExtensionsffxtlbra@softonic.com gefunden: Application.FireExt (A) C:Dokumente und EinstellungenUsername.UsernameAnwendungsdatenMozillaFirefoxProfilessjodvpjt.defaultSearchpluginssoftonic.xml gefunden: Application.SearchPlug (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{933B95E2-E7B7-4AD9-B952-7AC336682AE3} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{94496571-6AC5-4836-82D5-D46260C44B17} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{95B7759C-8C7F-4BF1-B163-73684A933233} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{B658800C-F66E-4EF3-AB85-6C0C227862A9} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{BC9FD17D-30F6-4464-9E53-596A90AFF023} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{DE9028D0-5FFA-4E69-94E3-89EE8741F468} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESCLSID{F25AF245-4A81-40DC-92F9-E9021F207706} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESINTERFACE{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESINTERFACE{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSCRIPTHELPER.SCRIPTHELPERAPI gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSCRIPTHELPER.SCRIPTHELPERAPI.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONIC.DSKBND gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONIC.DSKBND.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONIC.SOFTONICHLPR gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONIC.SOFTONICHLPR.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONICAPP.APPCORE gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSOFTONICAPP.APPCORE.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSRV.SOFTONICSRVC gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESSRV.SOFTONICSRVC.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESTYPELIB{13ABD093-D46F-40DF-A608-47E162EC799D} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESTYPELIB{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESTYPELIB{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESVIPROTOCOL.VIPROTOCOLOLE gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESVIPROTOCOL.VIPROTOCOLOLE.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERBROWSER HELPER OBJECTS{95B7759C-8C7F-4BF1-B163-73684A933233} gefunden: Application.BHO (A) Key: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXPLORERBROWSER HELPER OBJECTS{E87806B5-E908-45FD-AF5E-957D83E58E68} gefunden: Application.BHO (A) Key: HKEY_USERSS-1-5-21-1214440339-1637723038-725345543-1003SOFTWARESOFTONIC gefunden: Application.InstallAd (A) Key: HKEY_USERSS-1-5-21-776561741-515967899-725345543-1150SOFTWARESOFTONIC gefunden: Application.InstallAd (A) Key: HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLSOFTONIC gefunden: Application.InstallAd (A) Key: HKEY_LOCAL_MACHINESOFTWARESOFTONIC gefunden: Application.InstallAd (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPID{09C554C3-109B-483C-A06B-F14172F1A947} gefunden: Application.InstallDeal (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPID{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} gefunden: Application.InstallTool (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPID{B12E99ED-69BD-437C-86BE-C862B9E5444D} gefunden: Application.InstallTool (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPID{D7EE8177-D51E-4F89-92B6-83EA2EC40800} gefunden: Application.InstallTool (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPIDESCORT.DLL gefunden: Application.Win32.WSearch (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPIDESCORTAPP.DLL gefunden: Application.Win32.WSearch (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPIDESCORTENG.DLL gefunden: Application.Win32.WSearch (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPIDESCORTLBR.DLL gefunden: Application.Win32.WSearch (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESAPPIDESRV.EXE gefunden: Application.Win32.WSearch (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESESCORT.ESCORTIEPANE gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESESCORT.ESCORTIEPANE.1 gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESTYPELIB{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} gefunden: Application.AdReg (A) Key: HKEY_LOCAL_MACHINESOFTWARECLASSESTYPELIB{D7EE8177-D51E-4F89-92B6-83EA2EC40800} gefunden: Application.AdReg (A) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018161.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018247.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018248.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018279.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018280.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018449.exe gefunden: Trojan.GenericKD.1644312 (B) C:System Volume Information_restore{E5F384F8-F12C-4169-81A8-2875DBA7BC99}RP120A0018450.exe gefunden: Trojan.GenericKD.1644312 (B) Gescannt 162406 Gefunden 56 Scan Ende: 29.04.2014 09:41:25 Scan Zeit: 3:07:42

How to decrypt my files

  1. Click Start menu and navigate to Control Panel (for Windows 8, move mouse cursor to the bottom right of the screen, click Settings on Charm bar and go to Control Panel).
  2. Click User Accounts and Family Safety.
  3. Go to User Accounts.
  4. Click Manage your file Encryption Certificates.
  5. Click Next on Encrypting File System wizard.
  6. Select all the files you want to decrypt on Certificate details and click Next.
  7. Choose All Logical Drives and click Next.

In case you have any questions on how to decrypt your files, or the provided method does not word for you, please leave us a comment below and we will reply as soon as possible.

source: http://www.pcthreat.com/parasitebyid-41051en.html

i wonder if the secret.key file is written to harddisk… and then deleted… maybe you could recover this file with get data back ntfs? but this probably works best if you mount the disk in a different pc IMMEDIATELY and read only. otherwise stuff gets overwritten fast. any other ideas?

Pay the thiefes?

CryptoDefense have earned over $34,000 in just one month.

Never pay. Ever.  There are many stories of people who have paid and still don’t get their data back.  Take the hit, the data is gone.  Do what others have suggested and format the infected PC.

links: http://www.computerbetrug.de/ransomware-erpressung-per-losegeld-trojaner http://www.computerbetrug.de/2014/05/loesegeld-trojaner-verschluesselt-daten-und-fordert-bitcoin-zahlung-8412 what does cryptodefense do on your harddisk: „The files are encrypted using RSA-2048 encryption, which makes them impossible to decrypt via brute force methods. At the beginning of each encrypted file will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the infected computer. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same computer will contain the same unique identifier. This identifier is probably used by the Decrypt Service web site to identify the private key that can be used to decrypt the file when performing a test decryption. You can see these strings of text in a hex editor as shown below:“

Hex Editor showing Encrypted File

Based on research performed by DecrypterFixer, it appears that this infection is installed through programs that pretend to be flash updates or video players required to view an online video. When these downloads are run, numerous adware will be installed along with CryptoDefense. From screenshots of other infected computers, it is also not uncommon for infected computer’s to also have CryptoDefense or CryptorBit installed on them as well. http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information join the discussion: (in german) http://forum.computerbetrug.de/threads/cryptodefense-cryptowall-decrypter.46139/ english: http://www.bleepingcomputer.com/forums/t/527937/cryptodefense-newest-cryptolocker-variant-details-inside/?hl=%20cryptodefense If you are affected – sign the petition to make governments care: https://www.change.org/petitions/european-union-and-us-government-nsa-recover-our-valuable-files all their NSA-CIA surveillance could not help us… the tor to good and evil: http://dwaves.de/index.php/2014/05/01/tor-anonymizer-technology-can-always-be-used-for-good-and-evil/ http://www.darkreading.com/cryptowall-more-pervasive-less-profitable-than-cryptolocker/d/d-id/1306813? „CryptoWall has encrypted 5.25 billion files. To retrieve their files, victims generally pay ransoms ranging from $200 to $2,000 apiece, but one unfortunate person paid $10,000. Over the course of six months, the CryptoWall operators convinced 1,683 victims to pay up and made $1,101,900 in ransoms. This is rather a small haul when compared to CryptoLocker, which made $27 million in its first two months. Researchers have a few theories as to why CryptoWall is less profitable.“