CryptoDefense is less well-known than its fellow ransomware CryptoLocker, but is no less unpleasant – encrypting documents, source code and SSL certificates on victim’s computers and demanding that a Bitcoin ransom be paid in order to recover the data being held hostage.
The first most users know that they have a problem is when they find a file on their Windows desktop called HOW_TO_DECRYPT:
All files including videos, photos and documents on your computer are encrypted by CryptoDefense Software.
Encryption was produced using a unique public key RSA-20148 generated for this computer. To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the internet; the server will destroy the key after a month. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page on the site [URL LINK] and follow the instructions.
Visiting the link contained in the message takes you to a webpage that encourages you to pay up (once you have defeated the CAPTCHA test):
But, if you dawdle and don’t cough up enough Bitcoins in time – you might find the price has gone up:
I can’t encourage you to pay the criminals if you are unlucky enough to be hit by this malware. After all, you are only encouraging them to launch future attacks and there’s no guarantee that they will actually give you access back to your files, rather than raise their ransom demand even further.
If you were sensible enough to have a secure, uncompromised backup of your important data then you might be wiser to wipe your computer clean and restore from that.
According to Bromium’s researchers, the ransomware is being distributed by attackers via Java drive-by downloads.
What that means is that the gang behind CryptoDefense are trying to increase their potential pool of victims by not just spamming out their malware as email attachments, but also planting malicious code on websites to exploit vulnerabilities in Java in order to silently infect visiting computers.
For a detailed analysis of CryptoDefense and its methods of infection, check out Bromium’s blog post on the subject.
The truth is that cybercriminals love Java. Java is multi-platform, which means it can be run on different computers, regardless of their operating system. Because of this, it’s not unusual to see attackers use Java as part of their attack before serving up an OS-specific payload.
So, here are your options:
1) If you still *really* need Java, apply all available security patches as soon as you can.
2) Deinstall Java entirely. Chances are that if you don’t think that you need Java, you don’t need it.
3) The half-way house. Turn off Java in your web browser, thus prevent the most common vector for Java-based malware attacks. There is an article on the Naked Security website explaining how to do this for the most popular browsers. Of course, if you go this route you should still apply any Java security updates.
Depending on where you work, options 2 and 3 may be difficult for you to follow. A sizeable number of businesses still rely on archaic code which requires Java to properly work. If that’s the case for you, it may be best to have a different browser for surfing the web than the one you need to run that creaky old Java-based app that your IT team wrote in 2003.
Java is getting a bad name for security, so it’s no surprise that more and more people are keen to permanently remove it off their computers rather than risk being hit by a malware attack.
Earlier this year, Bromium discovered that hackers were infecting computers as unsuspecting users were watching YouTube videos – again via a Java exploit.
Get the message?
You’re crazy to use Java. Crazier not to patch it.
Does your workplace require you to have Java installed? Leave a comment below and tell us what you think about still using Java in 2014…
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.