Showing results for 
Search instead for 
Did you mean: 
Level 7

Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??

I can find no mention of the Cryptodefense RansomwareTrojan


Please update Threat Intelligence and information.

Are we protected by McAfee and which DAT?

0 Kudos
2 Replies
Level 21

Re: Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??

Antivirus applications only have limited defense against these things, which are only activated by some action by the user.

Read here for some excellent guidelines on this particular one:

When something like this hits you best action is to immediately power off without clicking any keys or touching your mouse.

See the last link my signature below for more hints.


Message was edited by: Ex_Brit on 03/04/14 8:24:54 EDT PM
0 Kudos
Level 18

Re: Ransomware - Trojan W32/CryptoDefense Not Mentioned by McAfee??

This variant was only identified and published today by Microsoft

Alert level: Severe

Detected by definition: 1.169.1618.0 and higher

First detected on: Apr 03, 2014

This entry was first published on: Apr 03, 2014

McAfee haven't yet published anything about it but - especially as it has been referenced here - they will do very soon.

CryptoDefense has been around since February but the original version had an embarrassing (for the authors) flaw : they left the decryption key in plain view on the infected systems' hard drives -

Whoever coded this made the rookie mistake of storing the decryption key in plain view – that's right, the private key is stored unencrypted on the PC's hard disk. Even though the generated private keys are uploaded to the crooks' server, allowing the crims to send the keys to victims who pay up, a copy is left on the drive by the software.

As this has been widely publicised I would guess that the latest variant is a patch rushed out to fix that little oversight.

Edit - BleepingComputer have made public the existence of the decryption key. They imply that the key is only present for systems infected before April 1st.

If your computer has been infected with CryptoDefense there may be a chance to restore your files. Fabian Wosar of Emsisoft discovered a method that allows you to decrypt your files if you were infected before April 1st 2014. Unfortunately, this only works for 50% of the infection cases but still provides a good chance of getting your files back.

For instructions on how to do this, please read this section:

How to decrypt files encrypted by CryptoDefense

Message was edited by: Hayton on 05/04/14 01:51:58 IST
0 Kudos