CryptoDefense: The story of insecure ransomware keys and self-serving bloggers

The past week has been particularly eventful for the Emsisoft Malware Research team. It all started about 2 weeks ago, when we received reports of a new ransomware from our friends over at BleepingComputer. A considerable amount of users reported that their files had been encrypted and that all that was left on their system was the following ransom note:

The ransomnote left by CryptoDefense on the victim's computer

The ransomnote left by CryptoDefense on the victim’s computer


The self-proclaimed name of the culprit? CryptoDefense.

To the attentive reader the name CryptoDefense may look quite familiar, as it sounds suspiciously similar to the infamous CryptoLocker ransomware that has been active since late last year. Like CryptoLocker, CryptoDefense also spreads mostly through spam email campaigns, and it also claims to use RSA with 2048 bit keys to encrypt the user’s files. Like CryptoLocker, CryptoDefense also claims that encrypted files can’t possibly be decrypted; but unlike CryptoLocker this claim was not initially true.

One of the key differences between CryptoDefense and CryptoLocker is the fact that CryptoLocker generates its RSA key pair on the command and control server. CryptoDefense, on the other hand, uses the Windows CryptoAPI to generate the key pair on the user’s system. Now, this wouldn’t make too much of a difference if it wasn’t for some little known and poorly documented quirks of the Windows CryptoAPI. One of those quirks is that if you aren’t careful, it will create local copies of the RSA keys your program works with. Whoever created CryptoDefense clearly wasn’t aware of this behavior, and so, unbeknownst to them, the key to unlock an infected user’s files was actually kept on the user’s system.

If there was a blooper reel of malware authors’ funniest mistakes this one would surely make the cut, and when we first picked up on this little quirk about 10 days ago we simply couldn’t believe it. Once the shock wore off, we quickly developed a decryption tool that could retrieve this key and had a working prototype in just one day. With this, we had a functional decrypter that could unlock CryptoDefense, but we still faced an interesting conundrum. How to get our tool out to the most victims possible without alerting the malware developer of his mistake?

After a bit of thought, our solution was simple: Seek out CryptoDefense victims directly and offer our fix in private. To do so, we searched through various support forums for anyone who may have been affected and also posted announcements to contact us for help, in the hope that these announcements would be seen by people who were searching for a solution. We also shared the decrypter and instructions on how to use it with a number of trustworthy volunteers who help out in these support communities, to give us a wider reach. As it turned out, this approach was very effective, however it did come with cost: Emsisoft received 0 publicity for its findings, and gained little attention from the press.

This lack of publicity was of course our intent, but despite our discreetness, CryptoDefense’s author still caught on to us. After about 5 days, he identified who we were and what we were doing to help his victims, but he still did not have access to the decrypter we used and had no idea how we were unlocking his victims’ files. Surely, this infuriated him, and pretty soon he tried to take down the contact address we left in various support communities by flooding it with emails. No doubt, this was an act of desperation, undertaken to try to prevent us from communicating with victims, but this too proved ineffective. We received over 30,000 emails within just a few hours, but were able to sidestep the attack with some clever server side filtering, and soon we were back online to answer requests for help from CryptoDefense victims.

So why are we writing a blog post about this now? Valid question – especially when we had taken such great efforts to ensure secrecy. Well, once again, the answer is simple. We weren’t the only ones to catch this malware author’s mistake. Other parties did indeed notice what was going on, however they didn’t quite share the same concern for victims as we did, and chose quick publicity over helping CryptoDefense victims recover their files.

On March 31st, a large anti-virus company and one of our competitors decided to release a blog post detailing CryptoDefense and the tremendous mistake its author had made. Unfortunately, this blog post also contained enough information to help the  CryptoDefense developer find and correct the flaw in his program. This post was quickly picked up by the press, and merely 24 hours later the malware author started spreading an improved version of CryptoDefense – a version that no longer leaves any keys on the victim’s system. This unfortunate series of events proves a point that Emsisoft has recognized since our foundation: Sometimes there are things that are better left unsaid, even if it means not promoting our company’s achievements.

Until our competitor inadvertently helped CryptoDefense’s author realize his mistake, Emsisoft was contacted by at least 450 malware victims asking for help. We managed to decrypt at least 350 computers, lowering the malware author’s potential income by at least $175,000 and helping many individuals, families, and companies retrieve their important files.

We may not have gotten the attention the other company did, and we may not have made Hacker News, but in the end we believe we did the right thing and contributed to a more Malware-Free World.

For us, that is all that matters.


Your Emsisoft Malware Research Team.

  • Pingback: Mysterious DDOS Attack Against Top 50 Website | Emsisoft Blog()

  • The Decrypter link is posted on many forums like BleepingComputer, so why is not posted on Emsisoft website itself?

  • Fabian Wosar

    Our friends over at BleepingComputer have created a very informative guide on how to decrypt your files that have been encrypted by CryptoDefense:

    • Aaron Wilson

      I could not get it to work it said that it could not find the key when I ran the offense tool.

      • Fabian Wosar

        In that case you were most likely infected by the new malware variant,
        that no longer has the flaw. Sorry, but your best course of action at
        this point is to restore from a backup.

    • Aaron Wilson

      Your assistance in any way would be greatly appreciated you can email me directly I be glad to pay.

  • Wow, that’s some story. Thanks a lot for sticking up for us! Some people are sports fans, you also have rock fans and turbofans but I’m an Emsisoft Fan.

  • cortar el cesped

    You guys are #1 in my book, modesty is a value so lost in todays ambitious, prideful society. (two words of which, 100 years ago, were very unbecoming of man)

  • It is refreshing to see a company so dedicated to integrity, and the best interests of victims that aren’t even their clients per se. My hat is off to you, and I will continue to promote your malware removal tools.

  • Pingback: CryptoDefense Ransomware and how Symantec helped it fix its flaw!()

  • Legend

    @ Emsisoft, in your article you wrote, ” emsisoft received 0 publicity for its findings, and gained little attention from the press.” But you gain my and , and the community+ the victims saved by your act, the deepest respect . I am proud that I am holding a subscription to a company with the right attitude

  • Xa

    Job well done.

  • Anthony

    I have a backup of the Folders that the keys maybe in. is there a way to run the program on a different machine to decrypt the files.

    • Fabian Wosar

      That unfortunately won’t work. The private key contained inside the files you backed up is encrypted using a system and user specific key. So the only documented way to get to it is using the same system and user profile that was initially infected. However, once you got the key exported using the CryptoOffense tool we provide, you can transfer the secret key to any other system to perform the actual decryption. Our friends over at BleepingComputer compiled a very good guide outlining the entire process here:

      • Anthony

        This infection happened 3 week ago so the computer was formatted but i have backup of the encrypted files. Is there a way to decrypt the files if i have the private key?

        • Fabian Wosar

          If you do manage to obtain the private key, decryption is possible, yes.

          • Anthony

            I believe i do have the private key in a .txt file. How would i decrypt the files or at least try to decrypt the files. Is there a program i need? Do i need the public key? How do i get that? Thank you for your help.

          • Fabian Wosar

            You can follow the instructions here:


            The only difference is that before you start the decrypter (decrypt_cryptodefense.exe) you put the private key into the same directory as the decrypter using the file name “secret.key”.

          • Anthony

            i renamed the private key to “secret.key” and put in the same directory as decrypt_cryptodefense.exe and i get this message when i run the program:
            “No CryptoDefense private key has been found. Please run the decrypter on the infected machine under the same user that encrypted your files. If you want to use a private key export as provided by the malware author or by the CryptoOffense tool to decrypt your files, you can place it as “secret.key” in the same directory as the decrypter.”
            Any suggestions?

          • Fabian Wosar

            Can you please send me the secret.key you try to use via email to [email protected]? Thanks :).

  • Glenn Ng Eng Kiat

    Got infected by this virus on 5/4/14 and the funny thing is nobody was in the office. Computer was left on and connected but nobody was around so am not sure how this thing hits me. All my documents are locked now ahhhhhh

    • Fabian Wosar

      The system may have been infected by a different malware already that downloaded and installed CryptoDefense when the system was idle. If you want you can contact our support at [email protected] to get a free check and cleanup of your infected system. However, given the time of the infection it is unlikely that the files can be decrypted. So you will likely need to restore your encrypted data from your backups.

  • guest 2

    Good Job Emisoft! Thanks for being such a great program.

  • Fabian Wosar

    Actually, the shadow copies are indeed deleted. However, on some system the deletion fails due to missing access rights. Instead of going through all files manually, you may want to give the free tool Shadow Explorer ( a try. It works really well when trying to restore files in bulk :).

  • Snobs

    Hi Fabian, really need your help. I ran the Emsisoft Decryptor. It decrypted all the infected files on my PC but at the same time damaged all the files. Not even a single file is opening. The pdf files give an error saying the file is not correctly decoded. And the word give an error saying that the file is corrupt and cannot be opened.

    So I’m frustrated as Emsisoft seems to have worsened the damage. Please help!

    • Fabian Wosar

      Can you please send one of those “corrupted” files to [email protected]? Thanks :).

  • Frank

    My computer was infected on April 4th and after spending a couple days researching cryptolocker & cryptodefense online I realized my only option was to gamble and pay the ransom if I wanted my files back. I paid the ransom on Monday and within a few hours I received the key and the decrypter. I ran the decrypter and it opened about 10% of my files. Now it just quickly scans and shows complete without decrypting any more. I also read about the emsisoft decrypter on Monday and downloaded it. I moved a copy of the supplied key into the folder with it and started it decrypting files. It is still running and has decrypted some files but also skips the majority of them. Is there any way I can get the other files decrypted?

    • Fabian Wosar

      Can you send one of the encrypted files that the decrypter doesn’t want to decrypt to [email protected]? Thanks :).

      • Frank

        Yes. I’ll do so later today. The infected computer is disconnected at the moment. Thanks for the help.

        • Tony Chiu

          Dear Frank, I want to know the status, can you decrypt all the files now? I have no solution now, so planing to paid the ransom but worry can’t encryted those significant files

          • Frank

            Nope. I only recoved about 10% of my pictures and about 5% of my total files. I wouldn’t recommend paying the ransom considering the small amount of return that I got.

          • Tony Chiu

            dammm it, do you have anyway to achieve the rest of the files?

          • Frank

            Not that I’ve heard of. It seems that the people that wrote the virus are smarter than all of the other computer geniuses in this world.

          • Tony Chiu

            Thanks Frank! That’s really upset me!

          • Tony Chiu

            Dear Frank, I really cant find any solution and the photo is very important to me, i want to pay the ransom but how can you pay by bitcoin! i dont have bitcoin, can i use credit card or paypal to purchase bitcoin to pay! very urgent now

    • Tony Chiu

      Dear Frank,
      Finally I paid the ransom, but how long does it take to get the key? the status keep at “Not checked” ? any idea will be appreciate.

      • Rolo


      • Rolo

        Hi @tony_chiu:disqus and @disqus_tZ9C6s74ow:disqus I paid the ransom from Bitstamp yesterday and I was only able to find the transaction ID today which I have submitted on the ransom website over an hour ago. How long did it take until the transaction status changed from ‘not checked’ to something else? I sent an email to the ransom and still no response…

        • Tony Chiu

          Dear Rob,

          After I paid the ransom, and submit the transaction ID, it take almost 10hrs to changed the status, and Yes, I can download the key and start decrypted by files
          Until now it decrypted almost 60% of all files

  • Frank

    Thanks for the reply Matt but it still does the same thing. Just a quick scan and shows that 0 files were successfully decrypted.

  • Ben

    First, thanks for your work on this problem. I have the RSA directory. But, there are about 12 different files in there???? Can your decrypt utility determine what is the correct key? (I am assuming that multiples have been created) Thanks!

    • Fabian Wosar

      It is normal that you have multiple keys in your RSA directory, as a lot of applications do use the Windows CryptoAPI. The decrypter will find the correct key automatically. If no key can be found, it usually means it is not there or has been overwritten since the infection.

      • Ben

        Thanks Fabian. I have read the instructions on bleepingcomputer, and your responses to others here, and it looks like I may be screwed. Your decrypter does say that the key is found and loaded. Once I start the process, immediately I get messages stating that “XXXX” file can’t be properly decryped, skipping. I let it run for a bit then abort, and in the log, 0 files are decrypted. Is there any thing else to try, even if it’s a long shot???

  • Javad

    Dear Fabian
    Please, please, please, please help me…
    I got infected on 12/04/2014 and your decrypt software didn’t work for me. I’m working in a company in iran and I lost all of my very important data and the company want to fine me bout 2,400 USD. I am ready to pay the author of the maleware the 500 USD but because sanctions, I can’t pay from IRAN. please help me if you can. Unfortunately i have no backup of my computer and there is no restore point available. It would be a disaster for me to be fined and leave my job. again I tel you: Please help me. there are also 4 files with different name in the key directory but I don’t know if they work or not.

  • Rego

    Dear Fabian,

    My PC also has been infected on 11/04/2014. I tried to decrypt the files but CryptoOffense tells me: “Found a key, but it does not look like a key CryptoDefensw Sorry (1024 Exportable).!.”

    Nor I can retrieve files from a backup, because I do not. I must try to recover most of these files because they are important for my work. Could you help me?.

  • Tony Chiu

    Please help, My notebook also inflected by CryptoDefense, and I did follow the Bleeping computer but no luck to solve, and the shadow copy seem also can’t get the correct RSA key. So is that the only way is to paid ransom? any other solution will be appreciate. by the way if the only way is to paid ransom, does it mean I can encrypt all the files!

  • Bob Berman

    Hi Fabian, Add a client of mine to the long list! XP machine, when I run the decrypt_cryptodefense.exe and scan, it comes back with the “Loaded private key from current user’s key storage!”, scans for some time, then comes back without any error and says that 0 files successfully decrypted, 0 caused errors and 0 notes deleted. I fear that this means that it is not finding the correct RSA key, but the documentation says that I would get an error if it was not found. Anything additional I can try? Greatly appreciate your efforts on this for the community. Bob

  • Pingback: » CryptoDefense – houston our files got hijacked()

  • dude

    Hi, question: when the virus is re-run… will it continue encrypting stuff? (where does it get the key from? download it from server? or is the key hidden somewhere on the harddisk? (then it would be possible to extract it somehow right?)) a 20-employee company in germany now has a major problem because of this virus… because the infected pc (avg antivirus fake software?) had access to mapped network shares… which contained important files on a NAS. (the nas was used as a backup) Acronis True Image has incrementally saved the pc.

    the pc was infected on 16.4.2014 (HOW_DECRYPT first creation date)
    acronis has made a backup on 14.4.2014, so the local files would not be a problem to restore… but the files on the NAS where not incrementally backuped.


    can please some NSA-FBI-CIA dedicate some resources towards that direction instead of drone-killing innocent people in afghanistan?

    • Hallie

      I was hit by CryptoDefense on 24th April. I had a NAS with backups of my SSD drives from 2 connected PCs. Decrypted the backups as well as my music files and old jpeg family photos that I scanned. My Excel Tax files, collections databases, resumes, PDFs, and am I P15SED OFF. What are international agencies doing to stop these cyber theives? Only big business and companies can afford the ransom, not the average home user or small businessman who loses all his files to encryption.
      Best way to backup is to detatchable USB drive, when backup done, disconnect it from the PC.
      How did I get it, I clicked on a popup that asked me to update JAVA, it fooled me, looked so genuine.
      I feel sorry for those hit harder than me. This is the next wave of virus attack. RSA-2048 encryption is probably the strongest encryption to crack, apparently it would take a super computer a thousand years to find the key.
      There must be a smart genius 16 year old hacker-turned-goodie out there that can reverse engineer this virus… where are you? Let me guess, you are not a goodie, you work for CryptoTheif.
      IMHO – the files are locked FOREVER.

      • dude

        Thanks for this report… at least in know now one way the virus got into the 20x employee company…. employee. will very massively ramp up on security now. no unrestricted internet to employees anymore. every single website they want to visit will have to go into a whitelist… thats about it.

  • Andrea Brice

    Emsisoft you saved my A**!!! I am a graphic designer and if it wasn’t for you, I would have lost all my work from the last 7 years for my career.

    It took several days to decrypt all my files and the only thing it wasn’t able to decrypt was about 700 of my mp3 files… which in the long run is not a big deal, as it could have been so much worse… you are geniuses and I agree it was not smart for the other group to talk about the flaw… I feel sorry for the people hit with the virus after that date.

    I learned my lesson… have several back ups and remember to unplug your external drives when online. THANK YOU THANK YOU SO MUCH!

    • dude

      so you had the old version of CryptoDefense installed? lucky you.

  • Pedro Castro

    Hi my Name is Peter, i have a CryptoDefense Virus in my PC HP, this fail run on 01/04/2014, and check my system with scan with alternative malwares an tools, but can’t unlock my files, i need your help, can’t you help me please, my contact email is: [email protected]

  • dude

    where do you guys buy bitcoins? (if you live outside the US and need this stuff FAST) it is threatening to delete the keys in the next two weeks!

  • Aris Antonakis

    Hi there, what about if i have the %appdata/roaming/microsoft/crypto/rsa generated file? Can i extract the public key using this file? And also there is decrypt application to restore infected filew from another computer ? (Not the infected). Thx in advance

  • musicmugger

    I have been a paid subscriber with Emsisoft since it’s early A Squared days, and I have always had great support from the company. This is just another example why I continue to remain with them. Thanks for all your hard work guys, it’s much appreciated.

  • Pingback: Les virus "Cryptolocker" et "Zeus" sont morts... -

  • Matthew Godson

    boot into safe mode by pressing F8 about once per sec during startup..log onto your desktop into safemode. If it asked if you want to continue in safe mode say yes. The go to your control pannel add remove software and uninstall the software if possible. If not go to your start button in the lower right of your screen, then go to program files and see if it is there, if so hold your cursor over it and a new window may appear. If there is an uninstall option click that and try and do an uninstall and reboot. whether or not any suggestions above was completed, before reboot, click the start button, then go to programs, then accessories, the system tools, then system restore, and restore your computer to a time before you installed the progam. I.E. 1 month before. A system checkpoint is usually best and dont worry, no personal files will be lost.

  • seba

    Please help to decrypt files infected width CryptoWall 3.0 ???? please help

  • plundrigan

    Does anyone know if it is possible on the infected computer, to pull the key using data recovery techniques. Does the new CryptoWall 3.0 still create the key in the RSA folder and then delete it?

  • PitKoz

    …the attack is spreading.. today I got my comp infected and got all archive files encrypted with ransom offer. there is some kind of global action against this attack by Kaspersky.. but even the Tor network address is not available… can you help ? among this are my son pictures… he is not with me anymore…

  • Pingback: PlayStation 4 Pro()