Ransomcrypt can be defeated by AV when the criminals are incompetent
There is a window of opportunity for anti-virus software to detect and defeat the new style crypto ransomware. This is the malware that scrambles your files with unbreakable encryption that can only be reversed through ‘buying’ the decryption key from the criminals for several hundred dollars.
That window was described by Symantec in its recent discussion on the CryptoDefense malware.
CryptoDefense appeared in late February 2014 and since that time Symantec telemetry shows that we have blocked over 11,000 unique CryptoDefense infections.
How do you block an infection that encrypts? You can block an attack before the infection…
Well, it’s that window of opportunity. Strictly speaking, I suppose Symantec hasn’t blocked the infection, but does manage to block the encryption.
The first thing the malware must do when it infects the computer is report back to the C&C server so that it has a channel to send the decryption key. If it doesn’t do that, the criminals have no way to effect the ransom (other than bluff, which would only work a couple of times). So if the AV software can recognise this behaviour, it has a brief period in which to cut the communication and ‘block’ the encryption.
In this particular instance the criminals have developed a sophisticated trojan that has one fatal flaw.
CryptoDefense, in essence, is a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims. These techniques include the use of Tor and Bitcoins for anonymity, public-key cryptography using strong RSA 2048 encryption in order to ensure files are held to ransom, and the use of pressure tactics such as threats of increased costs if the ransom is not paid within a short period of time. However, the malware author’s poor implementation of the cryptographic functionality has left their hostages with the key to their own escape.
That fatal flaw is to leave a copy of the decryption key on the user’s PC.
With Cryptolocker, the private key was only ever found on servers controlled by the attacker, meaning the attackers always maintained control over the encryption/decryption keys. On investigating how CryptoDefense implemented its encryption, we observed that the attackers had overlooked one important detail: where the private key was stored.
In short, if you use Windows’ own crypto functions, you should know where it stores the decryption key. With CryptoDefense, the criminals either didn’t know or overlooked it, despite its otherwise sophistication. Windows stores a copy of the key on the disk; and CryptoDefense leaves it there.
So in this instance, some basic incompetence from the criminals is the victims’ salvation. But don’t expect it to continue. The criminals will rapidly update the malware to defend their leverage. The best bet is to avoid the infection in the first place — and that means up-to-date anti-malware, and constant vigilance against phishing and attachments.