CryptoDefense is a ransomware family targeting Windows systems. It encrypts victim files using a 2,048-bit RSA public key and demands payment, typically $500 in Bitcoin, in exchange for decryption. Reported infection vectors were malicious attachments in spam emails, with activity largely observed against users in the United States and the United Kingdom. Symantec reported more than 11,000 infections and estimated operator revenue of up to $38,000 per month in Bitcoin.
The malware generated an RSA key pair on the victim machine using Microsoft cryptographic infrastructure and Windows APIs, uploaded the private key to attacker-controlled infrastructure in plain text, and—due to an implementation flaw—also left a copy of the private decryption key on the infected system’s hard disk. Symantec stated victims could check the Application Data > Application Data > Microsoft > Crypto > RSA folder for the key. The ransom workflow included Tor-based payment instructions, guidance for installing and using a Tor-enabled browser, a list of cryptocurrency exchanges, a CAPTCHA step, and ransom escalation after four days of non-payment.
CryptoDefense is described in the context of the broader rise of cryptomalware following CryptoLocker’s success and is identified as one of several copycat ransomware families alongside CryptoWall and OnionLocker.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 distinct techniques documented for this family, organized by ATT&CK tactic.
This particular threat propagates through email-based social engineering tricks. In Australia, users are sent emails that typically look like they came from local companies such as an Australian energy supplier (view a bill) or an Australian postal delivery company (details of parcel delivery).
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cryptomalware family mentioned as part of the global surge in file-encrypting malware affecting users.
Named as a copycat ransomware strain related in theme to CryptoLocker.
Ransomware that encrypts victim files on Windows systems using RSA-2048 and demands payment in Bitcoin for the decryption key. The sample described mistakenly leaves the private decryption key on the victim's hard drive.
Ransomware that encrypts victim files with RSA-2048 and demands payment in Bitcoin for the private key. It spread via spam email attachments and used Tor-based payment instructions, but a flawed implementation left the private decryption key stored on the victim's hard drive.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.