Friday, April 25, 2014

Crypto Defense Ransomware and Open Source Intelligence


You might have heard about Crypto Defense ransomware family - if not please refer to the this.

This morning I gave a shot with (development version) Hook Analyser 3.1, and passed the keyword "Crypto Defense" to understand co-relation of malware variants behaviors.

Following are the results* -

Legend - 

  • Blue dot - keyword (Crypto defense)
  • Red dot - malware sample or hash
  • Black dot - IP address where malware sample or hash communicates to


  1. Apparently, many "unique" variants of malware samples (of Crypto defense family) have been released - which could indicate that this ransomware is gaining attention or is actively being used by cyber criminals.
  2. Imphash of malware variants are different - which indicates that the malware samples might have been compiled by different threat actors / compilers.
  3. Certain variants share similar IOC's - in terms of IP addresses they communicate to.
  4. Tor network is being leveraged by cyber criminals on this malware family  - for payment / decryption process related purposes
  5. Certain malware variants have been seen since 2009. However, majority of them are being seen in 2013.

Indicators of Compromise (IOCs) for Crypto Defense - To help security community and incident responders, I have uploaded malware variants indicator of compromises (XML format).

*Please be advised that the results are based on information available on the Internet and there is a probability that it may not be accurate and complete. I'd recommend to perform validation.

No comments:

Post a Comment