CryptoDefense Ransomware Flaw Leaves Behind Decryption Keys | eWeek

CryptoDefense Ransomware Flaw Leaves Behind Decryption Keys

CryptoDefense Ransomware Flaw Leaves Behind Decryption Keys
Written By
Robert Lemos
Robert Lemos
Apr 8, 2014
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Ransomware has become an increasingly popular way for cyber-criminals to turn infected computer systems into cash, and this year underground programmers are already churning out copycats of the most successful ransomware program, CryptoLocker, according to security firms.

On March 31, security firm Symantec discovered a data-napping program, dubbed CryptoDefense, which has already netted its makers at least $34,000 in the first month, according to Symantec. The program encrypts nearly 50 different types of files, and then demands a ransom of about $500 in bitcoins for the key.

“CryptoLocker was the first and its success is driving other groups into adopting the same techniques,” Kevin Haley, director of security response for Symantec, told eWEEK.

In 2013, CryptoLocker infected more than 200,000 machines and earned its cyber-criminal creators more than $380,000, according to Dell Secureworks, a managed security company. It’s likely that the malware earned much more than that, possibly millions of dollars, the company said in December.

Symantec first detected the CryptoLocker copycat in late February and in the 30 days since, has blocked 11,000 potential infections, the company stated in an analysis. By analyzing the bitcoin addresses used to receive funds, Symantec estimated that the cyber-criminals had received more than $34,000 in the month that it tracked the threat.

Potential victims will typically encounter a link to the ransomware installer in unsolicited spam. If they click on the link and install the program, it compromises their systems and contacts the attacker’s command-and-control servers, Symantec stated.

“The initial communication contains a profile of the infected computer,” the company’s analysis stated. “Once a reply is received from the remote location, the threat then initiates encryption and transmits the private key back to the server. Once the remote server confirms the receipt of the private decryption key, a screenshot of the compromised desktop is uploaded to the remote location.”

While CryptoDefense shows some innovation—such as requiring that victims use the Tor anonymizing network to make it harder to track the payment—it also has a fatal flaw: The program leaves the encryption key hidden on the victim’s machine. The mistake helped antivirus companies help their customers, Haley said. It also showed that the latest authors were not as good as the original creators of CryptoLocker, he said.

“I think you can argue that they weren’t as good, since they left the key on the computers,” Haley said.

Systems in the United States make up most of the infected computers detected by Symantec, followed by systems in the United Kingdom, Canada and Australia, according to the company’s analysis.

The most effective defense against ransomware is to frequently back up data, according to Haley. While anti-malware defenses can help detect known malware, the software is not always effective against unknown attacks. A backup can allow consumers and businesses to recover data without paying a ransom.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.