New ransomware accidentally leaves key to its defeat on infected computers

It could have been the ultimate ransomware - had it not left its keys in the victimized machine.

Yet, the new ransomware dubbed CryptoDefense is still a mean piece of malware as it has extorted $34,000 a month from victims since February, security vendor Symantec said.

"CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims... However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape," Symantec said in a blog post.

According to Symantec, CryptoDefense appeared in late February 2014, being spammed out via email. Symantec said it had blocked infections in over 100 countries, including the US, UK, Canada, Australia, Japan, India, Italy and Netherlands.

Other than that oversight, however, Symantec said CryptoDefense uses the Tor network and Bitcoins for anonymity, as well as public-key cryptography using strong RSA 2048 encryption.

It also uses pressure tactics such as threats of doubling the ransom demand from the initial $500 if payment is not made within four days.

Private key

Symantec said the attackers behind CryptoDefense overlooked one important detail - where the private key was stored - since the files were encrypted with an RSA-2048 key generated on the victim’s computer.

"This was done using Microsoft’s own cryptographic infrastructure and Windows APIs to perform the key generation before sending it back in plain text to the attacker’s server," it said.

"However, using this method means that the decryption key the attackers are holding for ransom, actually still remains on the infected computer after transmission to the attackers server," it added.

Still, a separate article on The Hacker News said that while the ransomware developer could be considered "dumb," unlocking the encrypted files may not be that easy.

"Despite the dumb mistake of the malware developer, it is not sure that it will left the users untouched, because some technical skills [are] required to figure out the decryption keys," it said, though did not elaborate. - Joel Locsin / AMD, GMA News