“Today my PC was infected by a virus called CryptoDefense software that pops up a text box stating all files on my computer are encrypted and tells me what to do. I didn’t believe what the box stated and had it disconnected from the network. Then it said that it cannot get to the decrypt site. How can I get rid of the threat from my computer?”
Details of CryptoDefense
CryptoDefense, also known as HOW_DECRYPT.txt Ransomware, is classified as ransomware that attacks all versions of Windows operating systems including Windows XP, Windows Vista, Windows 7, and Windows 8. It often gets into your computer silently without permission when you surf the Internet. Usually, it comes bundled with other applications on the Internet. Once arrives on the PC, the malware will start to carry out a series of harmful actions. Usually, it displays a box claiming that all files including videos, photos and documents on the computer are decrypted by CryptoDefense software. Then you may find files with file extensions like .doc, .xls, .bmp and so on are affected. The information in the box guides you to download and install a specified browser and open a specific website in order to decrypt the files.
See the screenshot of the box displayed by the ransomware:
Once installed on the targeted computer, the malware creates a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom. It also creates a HKCU\Software\<unique ID>\ registry key and stores various configuration information in it. It will also list all the encrypted files under the HKCU\Software\<unique ID>\PROTECTED key. Then it will scan your computer and encrypt data files such as text files, image files, video files, and office documents and connect to the Command and Control server and uploads your private key. It may also delete all Shadow Volume Copies so that you cannot restore your files from the Shadow Volumes. This means you will only be able to restore your files by restoring from backup or paying the ransom. In some cases the threat does not properly clear the shadow copies, so you may want to use the instructions below to see if you can restore from them.
Once you attempt to decrypt the files on your PC, the ransomware will require you to pay for the decryptor. This payment website is located on the Tor network, and the PC user can only make the payment in Bitcoins. In order to buy the decryptor for the files, you need to pay a supposed fine of 500 USD in Bitcoins. If you don’t pay the fine within 4 days, it will double to 1,000 USD. It also declares it will delete your private key and you will no longer be able to decrypt the files not buy a decryptor within one month. The files are encrypted using RSA-2048 encryption, which makes you impossible to decrypt via brute force methods. At the beginning of each encrypted file, will be two strings of text. The first string is !crypted! and the second string is a unique identifier for the compromised PC. An example identifier is 18177F25DA00CD4CBC3D1b8B9F55F018. All encrypted files on the same PC will include the same unique identifier. This identifier is possibly used by the Decrypt Service website to recognize he private key that can be used to decrypt the files when executing a test decryption.
How to get rid of CryptoDefense from your computer?
Option1: Download and install a professional malware removal program on your computer.
The malware may disable your browser. If you’re using IE, for example, and having problems downloading the malware removal tool, you should open Firefox, Chrome or Safari browser instead.Or you can use a removable media to copy the tool from another clean computer then install it on your infected computer and run it to scan your computer.
Option2: Restore your computer to a date and time before the infection.
1. Restart your computer and enter Windows in “safe mode with command prompt”. To properly enter that mode, repeatedly press F8 upon the opening of the boot menu and use arrow keys to highlight Safe Mode with Command Prompt and then press Enter.
2. Once the Command Prompt appears type “explorer” and hit Enter key. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus will not allow you to type “explorer” anymore.
3. Once Windows Explorer shows up browse to:
Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
4. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Then delete the files and registry entries related to the ransomware.
HKEY_CURRENT_USER\Software\<unique id> “finish” = “1”