Sometimes we all stumble into something really good entirely by accident. We’ve all done it; they call that serendipity. And our serendipitous moment came last summer when we finally got tired of trying to get Malwarebytes to listen to us when we notice they stopped detecting the worst PUPs. We had been long-time supporters of Malwarebytes and had they listened to us we would have never found Emsisoft.
After we gave up on Malwarebytes, we spent two weeks testing every antimalware program we could find. Funny thing, some of these antimalware programs were malware themselves (iObit comes to mind).So when we found Emsisoft, we were very impressed. When we learned it was also an antivirus — one of the very top antiviruses — we were sold on it. It did a splendid job in our tests and used very little in the way of resources. It was the best antivirus/anti-malware programs we had ever used.
That was almost a year ago. We’ve been working with the good people at Emsisoft for almost a year know and we’ve learned that the people behind Emsisoft are as good as the software they make. They’re good people. They are in business to make money, but they also listen. And recently when a new threat emerged they found a fix for it and they offered a free tool to remove this nasty new malware. They didn’t do it for publicity – hardly anyone noticed – they didn’t want anyone to notice. But we noticed and we want you to notice too.
The following article is from Emsisoft’s blog. Please read it – it shows you just what kind of people they are. We’re lucky we found them – they’re a company we trust. The listen to us and they listen to you.
CryptoDefense: The story of insecure ransomware keys and self-serving bloggers
The past week has been particularly eventful for the Emsisoft Malware Research team. It all started about 2 weeks ago, when we received reports of a new ransomware from our friends over at BleepingComputer. A considerable amount of users reported that their files had been encrypted and that all that was left on their system was the following ransom note:
The self-proclaimed name of the culprit? CryptoDefense.
To the attentive reader the name CryptoDefense may look quite familiar, as it sounds suspiciously similar to the infamous CryptoLocker ransomware that has been active since late last year. Like CryptoLocker, CryptoDefense also spreads mostly through spam email campaigns, and it also claims to use RSA with 2048 bit keys to encrypt the user’s files. Like CryptoLocker, CryptoDefense also claims that encrypted files can’t possibly be decrypted; but unlike CryptoLocker this claim was not initially true.
One of the key differences between CryptoDefense and CryptoLocker is the fact that CryptoLocker generates its RSA key pair on the command and control server. CryptoDefense, on the other hand, uses the Windows CryptoAPI to generate the key pair on the user’s system. Now, this wouldn’t make too much of a difference if it wasn’t for some little known and poorly documented quirks of the Windows CryptoAPI. One of those quirks is that if you aren’t careful, it will create local copies of the RSA keys your program works with. Whoever created CryptoDefense clearly wasn’t aware of this behavior, and so, unbeknownst to them, the key to unlock an infected user’s files was actually kept on the user’s system.
If there was a blooper reel of malware authors’ funniest mistakes this one would surely make the cut, and when we first picked up on this little quirk about 10 days ago we simply couldn’t believe it. Once the shock wore off, we quickly developed a decryption tool that could retrieve this key and had a working prototype in just one day. With this, we had a functional decrypter that could unlock CryptoDefense, but we still faced an interesting conundrum. How to get our tool out to the most victims possible without alerting the malware developer of his mistake?
After a bit of thought, our solution was simple: Seek out CryptoDefense victims directly and offer our fix in private. To do so, we searched through various support forums for anyone who may have been affected and also posted announcements to contact us for help, in the hope that these announcements would be seen by people who were searching for a solution. We also shared the decrypter and instructions on how to use it with a number of trustworthy volunteers who help out in these support communities, to give us a wider reach. As it turned out, this approach was very effective, however it did come with cost: Emsisoft received 0 publicity for its findings, and gained little attention from the press.
This lack of publicity was of course our intent, but despite our discreetness, CryptoDefense’s author still caught on to us. After about 5 days, he identified who we were and what we were doing to help his victims, but he still did not have access to the decrypter we used and had no idea how we were unlocking his victims’ files. Surely, this infuriated him, and pretty soon he tried to take down the contact address we left in various support communities by flooding it with emails. No doubt, this was an act of desperation, undertaken to try to prevent us from communicating with victims, but this too proved ineffective. We received over 30,000 emails within just a few hours, but were able to sidestep the attack with some clever server side filtering, and soon we were back online to answer requests for help from CryptoDefense victims.