CryptoDefense Ransomware Worse Than CryptoLocker, Cyber Firm Says By: Homeland Security Today Staff

A new ransomware called CryptoDefense — a copycat  competitor to CryptoLocker – which was released into cyberspace in late February “is much worse than the original,” KnowBe4 CEO Stu Sjouwerman said Thursday in issuing an alert warning  computer users of the new ransomware.

CryptoDefense  targets text, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key which is hard to undo, KnowBe4 said, adding, “It also wipes out Shadow Copies which are used by many backup programs.

“The potential for damage is vast, generating tens of thousands per month, according to reports from Symantec,” KnowBe4 said in its announcement Thursday. “If an end-user opens the infected attachment, the ransomware encrypts its target files, and the criminals charge $500 in Bitcoin to decrypt the files. If their four-day deadline passes by, the amount goes up to $1,000. After a month, the keys are destroyed.

“There is furious competition between cybergangs,” Sjouwerman said. “They did their test-marketing in countries like the UK, Canada and Australia, and are now targeting the US. CryptoDefense doesn’t seem to be a derivative of CryptoLocker, as the code is completely different, confirming this is a competing criminal gang.”

KnowBe4 said “It appears that this infection initially was installed through programs that pretend to be flash updates or video players required to view an online video. Then it moved on to a variety of different phishing attacks that show an email with a zip file directing to ‘open the attached document’ that was supposed to have been ‘scanned and sent to you.’”

“It is obvious that this is a social engineering ploy and that effective security awareness training will prevent someone from opening these infected attachments when they make it through the filters (which they regularly do),” Sjouwerman said. “Training your end-users to prevent fires like this is a must these days. Once infected, the only way to fix this relatively fast is to make sure you have a recent backup of the files which actually can be restored. Even then, it can take several hours to restore the data.”

According to KnowBe4, recent ransomware infections involved users opening an attachment with a “voice mail message” from AT&T, but that there also are variants from other Telco companies. Users then admit to opening the attachment but saying it did nothing, however they could not open their files afterward.

This new CryptoDefense ransomware Malware has bugs too. Symantec researchers said that “Due to the attackers poor implementation of the cryptographic functionality they have, quite literally, left their hostages a key to escape.”