Fresh ransomware that is distributed via Java drive-by-downloads and requires a private key has been detected.
The CryptoDefense ransomware locks all files including videos, photos and documents and uses a unique public key RSA-2048 which is located “on a secret server on the internet”, according to research by Bromium. However, a flaw, which Bromium suspected will be fixed in an update, found that due to an implementation flaw, the decryption key can also be found on the computer.
A whitepaper said: “We were able to capture the sample inside a micro-VM implemented in our product, so we have all the files and traffic involved in the attack. This allows us to skip the Java exploit and first layer dropper for now and focus on the actual malware dropped. If we find something noteworthy in other parts of attack we’ll post a follow up article.”
In the case of CryptoDefense, it makes sure system tools cannot recover files as shadow copies are removed and system restore is disabled. According to a report by Symantec, CryptoDefense first showed up at the end of February 2014 and by the end of March there were at least 11,000 detections.
Bromium’s analysis of CryptoDefense found that it locked the same files as CryptoLocker, but users are given a month to pay rather than the short two-to-three day period that CryptoLocker gave users. Also, it requires a user to visit their personal page on the CryptoDefense website.
Bromium admitted that the rate of new crypto malware attacks seems to be increasing, and that this appears to be a profitable business for the underground crimeware gangs.
Luis Corrons, head of PandaLabs, told IT Security Guru that the truth is that he sees ransomware as something that is going to stay with us for a long time. “We have not received a single incident from this CryptoDefence, but we are stopping the infection process at the exploit level, so the malware is always stopped before infecting the computer.”
Asked if he felt that businesses were taking ransomware seriously, BH Consulting CEO Brian Honan said: “The crypto used by the criminals in ransomware is pretty much unbreakable as it is similar to the encryption algorithms used by many companies to protect their data. So once infected there is little to no hope of recovering the data without the appropriate key to decrypt the data.
“From my experience most individuals affected has opted to pay because they have had no other option, although a few did not pay and simply rebuilt their computers and suffered the loss of their data. Most of these people were individuals. For each business customer I have come across impacted by Ransomware they have all opted to pay the ransom (usually between €3,000 to €5,000) as they could not afford to lose their data. Ironically, many comment they would rather spend that money on securing their data rather than paying criminals to retrieve.”
