CryptoDefense and How Decrypt ransomware information guide and FAQ
|CryptoDefense and How Decrypt ransomware information guide and FAQ|
|Résumé / Summary|
|Titre||CryptoDefense and How Decrypt ransomware information guide and FAQ|
|Lien||www.bleepingcomputer.com www.bleepingcomputer.com Copie archivée chez Wayback|
|Revue, livre ou blog|
Extrait / Abstract
“ CryptoDefense is a ransomware program that was released around the end of February 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When a computer is infected, the infection will perform the following actions:
- Connects to the Command and Control server and uploads your private key.
- Deletes all Shadow Volume Copies so that you cannot restore your files form the Shadow Volumes. This means you will only be able to restore your files by restoring from backup or paying the ransom. In some cases the infection does not properly clear the shadow copies, so you may want to use the instructions below to see if you can restore from them.
- Scan your computer and encrypt data files such as text files, image files, video files, and office documents.
- Create a screenshot of your active Windows screen and upload it their Command & Control server. This screen shot will be inserted in your payment page on their Decrypt Service site, which is explained further in this FAQ.
- Creates a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.
- Creates a HKCU\Software\<unique ID>\ registry key and stores various configuration information in it. It will also list all the encrypted files under the HKCU\Software\<unique ID>\PROTECTED key.