Pay up or... We'll let you go. Flawed ransomware leaves behind its key
Locking up a user's PC and demanding a payment to release it has proved very profitable for the cyber crime community.
So much so that malware authors have been turning their hand to new variants. Security software specialist Symantec has been taking a closer look at one such, the CryptoDefense trojan that it first detected in February.
Symantec estimates that CryptoDefense has earned its creators some $34,000 in its first month and describes it on its official blog as, "...a sophisticated hybrid design incorporating a number of effective techniques previously used by other ransomcrypt malware authors to extort money from victims".
CryptoDefense locks up user's data with a 2048-bit RSA key. The private key needed to decrypt the content is then sent back to the attacker's server until the ransom is paid. However, the program's developers seem to have overlooked the fact that the key is also left in a file folder on the victim's machine. Symantec says, "...the malware author's poor implementation of the cryptographic functionality has left their hostages with the key to their own escape". It’s rather like the jailer leaving the key to your cell on a hook just next to the bars.
The malware is being distributed in spammed emails as an attached zip file. Symantec says it has blocked over 11,000 CryptoDefense infections in more than 100 countries since its discovery, the majority in the US.
It is of course unlikely that if you'd fallen victim to this infection you'd have the technical ability needed to take advantage of the flaw to disable it. Still, it's nice to know that sometimes the malware writers make mistakes.