Last updated on May 22nd, 2014
CryptoDefense virus is another nasty ransomware software and acts as the Cryptolocker or Cryptorbit viruses. More specifically when it infects your computer, it encrypts all the files in it. The bad news with these viruses is that, once they infect your computer, they encrypt critical files with strong encryption and it is practically impossible to decrypt them. Specifically after the infection, the CryptoDefense Ransomware informs the user that "All files including videos, photos and documents on user's computer are encrypted" and in order to decrypt them, then the user must make a payment (of 500$ or 600$) in BitCoins, by following a specific procedure using Tor Internet Browser.
The full CryptoDefense information message is as follows:
"All files including videos, photos and documents on your computer are encrypted with CryptoDefense software..
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files, you need to obtain the private key.
The single copy of the private key, which will allow you to decrypt the files, located on a secret server on the Internet; the server will destroy the key after a time specified in this window. After that, nobody and never will be able to restore files.
In order to decrypt the files, open your personal page to https://r/23sfxctgp53imlvzk.onion.to/index.php and follow the instructions.
If https://r/23sfxctgp53imlvzk.onion.to/index.php is not opening, please follow the steps below:
1. You must download and install this browser http://www.torproject.org/projects/torbrowser.html.en
2. After installation, run the browser and enter the address: 23sfxctgp53imlvzk.onion.to/….
3. Follow the instructions on the web-site. We remind you that the sooner you do, the more chances are left to recover the files.
Your Personal PAGE:https://r/23sfxctgp53imlvzk.onion.to/….
Your Personal PAGE (Using TorBrowser)
Your Personal code (if you open site directly) "
The CryptoDefense is not a virus, but a malware software and it probably infects your computer when you open a spam email with an attachment commonly in PDF or ZIP format. Once CryptoDefense infects your computer, then it starting to encrypt your files with strong encryption, and is practically impossible to decrypt your files.
During CryptoDefense infection the malicious program also creates 2 files (HOW_DECRYPT.HTML, HOW_DECRYPT.TXT) on every folder that it encrypts its contents with instructions for payment and decrypting.
From our research on several sites, we can inform our readers that in some cases, the files remain encrypted, despite the fact that the user makes the payment. So make this decision (to pay to unlock your files) at your own risk.
If you want to remove CryptoDefense infection from your computer, you must realize that your files will remain encrypted, even if you disinfect your computer from this nasty malware. If you take this decision (to disinfect your computer) and you haven't a clean backup of your files in another storage device (e.g. a USB Hard disk) then you have the following options to get your files back:
Option 1. If you own Windows 7 or later operating system and the System Restore feature was enabled on your computer then you can try to restore your files from shadow copies by using Windows' "Restore previous versions" (Shadow Copies) feature found at the latest operating systems.
Option 2. If System Restore was disabled on your computer (e.g after a virus attack) and you are infected with the CryptoDefense ransomware before 1ST APRIL 2014 then, thanks to EMSISOFT security company, you can try the "Emsisoft Decrypter" utility to decrypt (fix) your encrypted files. *
* Note: The creators of CryptoDefense ransomware made a big mistake at the first version of CryptoDefense virus: They leave the decryption key on the infected computer. So, if a user is infected before 1st April 2014, then he can decrypt his files using Emsisoft Decrypter utility. But unfortunately for all other users who infected after 1st April 2014, the encryption cannot be removed by using Emsisoft Decrypter utility and the files remain encrypted.
ONCE MORE: DO NOT CONTINUE TO REMOVE CryptoDefense VIRUS UNLESS:
YOU HAVE A CLEAN BACKUP COPY OF YOUR FILES STORED IN A DIFFERENT PLACE (like an unplugged portable hard disk)
YOU DON"T NEED THE ENCRYPTED FILES BECAUSE THEY ARE NOT SO IMPORTANT TO YOU.
So, if you have taken your final decision, then proceed first to remove CryptoDefense ransomware infection from your computer and then try to restore your files by following the steps below:
How to get rid of CryptoDefense RansomWare & Restore CryptoDefense Encrypted files.
CryptoDefense (HOWDECRYPT) Ransomware Removal Guide
Step 1: Start your computer in "Safe Mode with Networking"
To do this,
1. Shut down your computer.
2. Start up your computer (Power On) and, as your computer is booting up, press the "F8" key before the Windows logo appears.
3. Using your keyboard arrows select the "Safe Mode with Networking" option and press "Enter".
Step 2. Stop and delete CryptoDefense malicious running processes with RogueKiller.
RogueKiller is an anti-malware program written and is able to detect, stop & remove generic malwares and some advanced threats such as rootkits, rogues, worms, etc.
1. Download and save "RogueKiller" utility on your computer'* (e.g. your Desktop)
Notice*: Download version x86 or X64 according to your operating system's version. To find your operating system's version, "Right Click" on your computer icon, choose "Properties" and look at "System Type" section.
2. Double Click to run RogueKiller.
3. Wait until the pre-scan is completed and then read and "Accept" the license terms.
4. Press the "Scan" button to scan your computer for malicious threats and malicious startup entries.
5. Finally, when the full scan is completed, press the "Delete" button to remove all malicious items found.
6. Close "RogueKiller" and continue to the next step.
Step 3. Remove CryptoDefense infection with Malwarebytes Anti-Malware Free.
Download and install one of the most reliable FREE anti malware programs today to clean your computer from remaining malicious threats. If you want to stay constantly protected from malware threats, existing and future ones, we recommend that you install Malwarebytes Anti-Malware Premium:
Quick download & Installation instructions:
- After you click the above link, press at the "Start My Free 14-Trial" option to start your download.
- To install the FREE version of this amazing product, uncheck the "Enable free Trial of Malwarebytes Anti-Malware Premium" option at the last installation screen.
Scan & Clean your computer with Malwarebytes Anti-Malware.
1. Run "Malwarebytes Anti-Malware" and allow the program to update to its latest version and malicious database if needed.
2. When the update process is completed, press the "Scan Now" button to start scanning your system for malware and unwanted programs.
3. Now wait until Malwarebytes Anti-Malware finishes scanning your computer for malware.
4. When the scan has completed, first press the "Quarantine All" button to remove all threats and then click "Apply Actions".
5. Wait until Malwarebytes Anti-Malware removes all infections from your system and then restart your computer (if required from the program) to completely remove all active threats.
6. After the system restarts, run Malwarebytes' Anti-Malware again to verify that no other threats remain in your system.
Step 4. Restore your files after CryptoDefense infection
Option 1. Restore CryptoDefense encrypted files from Shadow Copies.
After you have disinfected your computer from CryptoDefense virus, then it is time to try to restore your files back to their state prior to the infection. For these methods, we use the Shadow Copy feature which is working excellent at the latest operating systems (Windows 8, 7 & Vista)
Method 1: Restore CryptoDefense encrypted (corrupted) files using Windows "Restore Previous versions" feature.
How to restore CryptoDefense encrypted files using Windows "Restore Previous versions" feature:
1. Navigate to the folder or the file that you want to restore in a previous state and right-click on it.
2. From the drop-down menu select "Restore Previous Versions". *
3. Then choose a particular version of folder or file and then press the:
- "Open" button to view the contents of that folder/file.
- "Copy" to copy this folder/file to another location on your computer (e.g. you external hard drive).
- "Restore" to restore the folder file to the same location and replace the existing one.
How to restore CryptoDefense corrupted (encrypted) files using "Shadow Explorer" utility.
ShadowExplorer, is a free replacement for the Previous Versions feature of Microsoft Windows Vista/ 7 / 8. You can restore lost or damaged files from Shadow Copies.
2. Run ShadowExplorer utility and then select the date that you want to restore the shadow copy of your folder/files.
3. Now navigate to the folder/file that you want to restore its previous version, right-click on it and select "Export".
4. Finally specify where the shadow copy of your folder/file will be exported/saved (e.g. your Desktop) and press "OK".
Option 2. Restore CryptoDefense encrypted files using Emsisoft Decrypter utility.
How to Decrypt (fix) CryptoDefense encrypted (corrupted) files using "Emsisoft Decryptor" utility.
Important Notice: This utility works only for computers infected prior of 1st April 2014.
1. Download "Emsisoft Decrypter" utility to your computer (e.g. your Desktop)
2. When download is completed, navigate to your Desktop and "Extract" the "decrypt_cryptodefense.zip" file.
3. Now double-click to run the "decrypt_cryptodefense" utility.
4. Finally press the "Decrypt" button to decrypt your files.
Info: A detailed tutorial on how to decrypt CryptoDefense encrypted files using Emsisoft's decrypter utility can be found here: http://www.bleepingcomputer.com/virus-removal/cryptodefense-ransomware-information#emsisoft