Computer Hope

Software => Computer viruses and spyware => Topic started by: Michael on April 08, 2014, 01:58:06 PM

Title: CryptoDefense Solution
Post by: Michael on April 08, 2014, 01:58:06 PM

One of the PC in my office is infected by this CryptoDefense ransomware, which encrypted files on the PC.

(http://i57.photobucket.com/albums/g222/MichaelTCT/Forums/Computerhope/Encrypt_zpsb94faa7f.jpg~original) (http://s57.photobucket.com/user/MichaelTCT/media/Forums/Computerhope/Encrypt_zpsb94faa7f.jpg.html)

Supposedly, we have to pay $500 in bitcoin to buy a private key in order to decrypt them.

However, I read on this site (http://www.theregister.co.uk/2014/04/03/cryptodefense_rsa_private_key_on_disk/) that a copy of the key is actually stored on the local PC.

Now my question is: where do I use the key to decrypt the files?
Should I follow the instruction as prompted by the virus i.e. to access their server via a anonymous browser? Is it safe to do so?

Thanks in advance!

Title: Re: CryptoDefense Solution
Post by: SuperDave on April 08, 2014, 05:06:09 PM

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
When this malware first appeared on the scene the hacker had mistakenly included the key on the pc. However, some protection companies tipped that hacker of about this error and he has since corrected his mistake. You can read the full story here. (http://blog.emsisoft.com/2014/04/04/cryptodefense-the-story-of-insecure-ransomware-keys-and-self-serving-bloggers/?ref=newsbox_ticker140407&utm_source=software&utm_medium=newsbox&utm_content=ticker140407&utm_campaign=newsbox_ticker140407)
Let's try a traditional method. Boot your computer in Safe Mode and try to run MBAM(below). If successful, boot in Normal mode and try running it again.
Since this is a business computer there may be some protocols put in place by the IT dept. that may prevent us cleaning the computer

(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.