A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.
Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, which is half of a freshly generated private-public pair; the software nasty only hands over the private key to decrypt the data when a ransom is paid. Computers are infected typically after the user is tricked into running an attachment in a spam email.
It was first spotted in February, and is largely targeting US and UK systems. So far the security firm has detected more than 11,000 infections and estimates that the operators are pulling in up to $38,000 a month in Bitcoin, based on data from BTC transaction sites.
This style of encryption attack is nothing new, but the CryptoDefense creators have put a bit more thought into their nasty than most of their ilk (apart from the bungled cryptography that we'll get onto in a second). The malware uses pressure tactics that would make a corporate marketing department proud – it doubles the ransom after four days of non-payment, for example – and it makes the victim use the Tor network to cough up the dosh so it's harder to track down the crooks behind the scam.
The ransomware demands $500 in Bitcoin for the decryption key, and the malware author includes a how-to guide for installing and using a Tor-connected web browser, and a list of crypto-currency exchanges. There's even a CAPTCHA page to negotiate before the ransom is paid.
Thankfully all that work has gone to waste. Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software. Symantec explained:
As advertised by the malware authors in the ransom demand, the files were encrypted with an RSA-2048 key generated on the victim’s computer. This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server. However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attacker's server.
Infected users should check in the Application Data > Application Data > Microsoft > Crypto > RSA folder of their PCs for the private key.
"The malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," the security biz noted in a blog post.
While that's good news for people infected right now, it's a kick in the shins for those who paid up in the past, and bad news for future victims once this bug is fixed. Ransomware has been around in one form or another for years, but in the last 18 months there's been a big spike in infections and it's getting more advanced and difficult to eliminate.
The boom was sparked by CryptoLocker, an unusually effective piece of malware that reaped millions through a combination of good social engineering and strong crypto, and being highly resistant to takedown attempts on its command and control servers. It was so good, US cops were forced to pay up to free their files, and it is still causing problems across the world.
Its success has spawned a host of imitations, and studies have shown that the attack is surprisingly effective at convincing people to pay up. Last month, a Romanian victim killed himself and his four-year-old son after ransomware convinced him he was facing years in jail and massive fines.
The primary vector of attack is the old favorite, the anonymous email attachment. While people are getting better at not downloading files from unknown sources, there are still a lot of folks who aren't so wary and, once infected, they are likely to be technology-illiterate enough to panic into making a payment.
Crap coding may have crippled CryptoDefense, but it's clear that malware writers are investing in ransomware in a big way. Expect to see a lot more of this kind of malware-laden spam in the future. ®