How to Decrypt CryptoDefense Files (HowDecrypt)
How to Decrypt CryptoDefense Files (HowDecrypt):
CryptoDefense is a completely new ransomware trojan similar to Cryptorbit, HowDecrypt, and CryptoLocker which targets computers running Windows operating system. CryptoDefense has been released at the end of February and it appears that it is a hybrid of Cryptorbit which will fully encrypt your data compared with its predecessor.
When activated, CryptoDefense encrypts certain types of files stored on your local and mounted network drives using RSA-2048 bit public-key cryptography, with the private key stored only on the malware’s control servers. CryptoDefense leaves access database files untouched, but does encrypt .doc, .xls, and .bmp, .txt, images and videos.
CryptoDefense will create How_Decrypt.html, How_Decrypt.txt and a shortcut to How_Decrypt.html in every folder that a file was encrypted. These files contain instructions on how to pay the ransom. Furthermore, CryptoDefense will create a HKCU\Software\<unique ID>\ registry key and will store configuration information in it. Moreover, all encrypted files will be listed under HKCU\Software\<unique ID>\PROTECTED key. The malware then displays a ransom message which offers to decrypt the data for bitcoins, which are worth about $500. However, after 4 days, the cyber crooks will actually double the ransom and now they will ask for bitcoins, worth $1000. If the payment is not made by the stated deadline, CryptoDefense threatens to delete the private key.
Thanks to the guys from Emsisoft and BleepingComputer.com, there is a way to recover your corrupted files, or at least most of them. (*PLEASE DO NOT ATTEMPT TO DECRYPT YOUR FILES BEFORE REMOVING THE ACTUAL INFECTION)
If you notice that you are infected, we at MalwareKillers.com recommend you to download SpyHunter Malware Security Suite from our web page: https://www.malwarekillers.com/download-page/ in order to automatically remove the active infection. However, be advised that even when the infection has been removed successfully, your files will still be encrypted. Once you get rid of CryptoDefense (learn how to in our article HERE), you can try to recover your files using the limited methods below:
How to Recover Files Encrypted by CryptoDefense:
*Please note that there are limited methods of decrypting the files encrypted by CryptoDefense. The infection may also delete all your Shadow Volume Copies. The only certain way to restore your files is by using a backup copy.
You can try to restore your files from a system backup. If a backup is not available, then you can attempt to recover your files using the Shadow Copy Service. Since Windows XP Service Pack 2 there is an implemented feature called Shadow Copy Service that, if enabled, will automatically create backup copies of your files. This method may not work, as CryptoDefense attempts to clear your shadow copies when it is installed.
1. How to restore files using the Shadow Copy Service:
Method 1. Using native Windows Previous Versions:
*Be advised that the Windows System Protection option must have been enabled prior to the infection for this method to work.
1. Right click on the corrupted file and select properties from the drop-down menu;
2. Go to “Previous Version” tab (If the tab is missing then it means that Windows System Protection option hasn`t been enabled);
3. Choose the latest previous version copy and click on the Copy button, then select the directory you wish to restore the file to. If prefer to restore the selected file directly, click on the Restore button.
This method can be used to restore an entire folder as well. Right-click on the selected folder and choose Properties and then Previous Versions tab.
Method 2. Using Shadow Explorer:
You can also use a program called Shadow Explorer to restore entire folders. You can download the program from the following link: http://www.shadowexplorer.com/downloads.html
When you download and run the program, you will see, on the left side, a list of your available drives. Next, you will see the dates that a shadow copy was created. You can select the drive and the date that you wish to restore from.
2. How to recover files encrypted by CryptoDefense using Emsisoft Decryptor
If you were infected by CryptoDefense on April 1st, 2014 or before that, then there is a chance you can recover the decryption key. There is a flaw in the early versions of CryptoDefense that leaves the public decryption key stored on the user`s machine. Fabian Wosar of Emsisoft discovered the flaw and developed a decrypter. Unfortunately, newer versions of CryptoDefense no longer leave the key behind. Thus, if you were infected with CryptoDefense before the aforementioned date, you can attempt to retrieve the key and decrypt your files:
1. Please download decrypt_cryptodefense.zip from the link below:
2. Once you have the file downloaded, right-click and select “Extract All”. When the process completes, all files will be extracted to a folder. You will see two files: CryptoOffense.exe – you can use it only if you want to decrypt encrypted files using a different computer.
The second file is decrypt_cryptodefense.exe. This is the tool that you can use to automatically extract the encryption key from your computer in order to decrypt your files. Please make sure that you temporarily disable your anti-virus system for the time of decryption as it may interfere with the decrypter.
3. Launch the decrypt_cryptodefense.exe
4. Click on the “Decrypt” button to start the decryption process. Emsisoft decrypter will recursively scan all folders that are added for encrypted files. Then, the program will attempt to retrieve the decryption key from the logged in account. If a key is found, a message like the following will be shown:
“Loaded private key from current user’s key storage!”
Then the decrypter will automatically start to decrypt the encrypted files on your machine. The process can be time-consuming. While the tool is decrypting your files it may look like it stalled or froze on a certain file and to appear that it`s not responding. This is normal. Please be patient and do not be concerned.
If Emsisoft decrypter is unable to retrieve the key, it will display a message shown below:
“No CryptoDefense key found”
Unfortunately, this means that it will not be able to decrypt your files.
If the program was able to retrieve the key, but you are receiving errors that state “File could not be decrypted properly”. “Skipping …” means that your key may have been overwritten. In such case, there is one possibility to recover your decryption key. The key is saved in %appdata%\Microsoft\Crypto\RSA folder. If there is a present Shadow Copy of the folder, you can try to recover it to a previous state. After that, run the decrypt_cryptodefense.exe once again and check if you can retrieve the key in order to restore your files.
Unfortunately, if the above methods do not work, the last option will be to restore your files from a backup copy (if any).
To successfully remove and learn more about the newest ransomware CryptoDefense, please read our article HERE.
To successfully remove and learn more about Cryptorbit or HowDecrypt ransomware, please read our article HERE.
To learn how to recover your files encrypted by older ransomware like Cryptorbit or HowDecrypt, please read our article HERE.