CryptoDefense and How Decrypt ransomware information guide and FAQ

Jump to navigation Jump to search

(Publication) Google search: [1]

CryptoDefense and How Decrypt ransomware information guide and FAQ
Botnet CryptoDefense, How_Decrypt
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2014 / 2014-03-19
Editor/Conference Bleeping Computer
Link (Archive copy)
Author Lawrence Abrams
Type Blogpost


CryptoDefense is a ransomware program that was released around the end of February 2014 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. When a computer is infected, the infection will perform the following actions:

  • Connects to the Command and Control server and uploads your private key.
  • Deletes all Shadow Volume Copies so that you cannot restore your files form the Shadow Volumes. This means you will only be able to restore your files by restoring from backup or paying the ransom. In some cases the infection does not properly clear the shadow copies, so you may want to use the instructions below to see if you can restore from them.
  • Scan your computer and encrypt data files such as text files, image files, video files, and office documents.
  • Create a screenshot of your active Windows screen and upload it their Command & Control server. This screen shot will be inserted in your payment page on their Decrypt Service site, which is explained further in this FAQ.
  • Creates a How_Decrypt.txt and How_Decrypt.html file in every folder that a file was encrypted. The HTML and TXT files will contain instructions on how to access a payment site that can be used to send in the ransom.
  • Creates a HKCU\Software\<unique ID>\ registry key and stores various configuration information in it. It will also list all the encrypted files under the HKCU\Software\<unique ID>\PROTECTED key.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR16,
   editor = {Bleeping Computer},
   author = {Lawrence Abrams},
   title = {CryptoDefense and How Decrypt ransomware information guide and FAQ},
   date = {19},
   month = Mar,
   year = {2014},
   howpublished = {\url{}},