CryptoDefense is a ransomware program that encrypts files.



It spreads by infected email messages and fake downloads including, for example, rogue video players or fake Flash updates.


After successful infiltration, this malicious program encrypts files (*.doc, *.docx, *.xls, *.ppt, *.psd, *.pdf, *.eps, *.ai, *.cdr, *.jpg, etc.) stored on users' computers and demands payment of $500 ransom (in Bitcoins) to decrypt the files. Cyber criminals responsible for releasing this rogue program ensure it executes on all Windows operating systems (Windows XP, Windows Vista, Windows 7, and Windows 8). CryptoDefense ransomware creates How_Decrypt.txt, How_Decrypt.html, and How_Decrypt.url files within each folder containing the encrypted files.

These files contain instructions regarding how users may decrypt their files, including the use of the Tor browser (an anonymous web browser). Cyber criminals use Tor to hide their identities.

Message presented in How_Decrypt.txt, How_Decrypt.html and How_Decrypt.url files:

All files including videos, photos and documents on your computer are encrypted by 
CryptoDefense Software. Encryption was produced using a unique public key RSA-
2048 generated for this computer. To decrypt files you need to obtain the private key. 
The single copy of the private key, which will allow you to decrypt the files, located on 
a secret server on the Internet; The server will destroy the key after a month. After 
that, nobody and never will be able to restore files. In order to decrypt the files, open 
your personal page on the site hxxps:// and follow the instructions.

If hxxps:// is not opening, please follow the steps below:

1. You must download and install this browser hxxp://
2. After installation, run the browser and enter the address: rj2bocejarqnpuhm.onion/UOs
3. Follow the instructions on the web-site. We remind you the the sooner you do, the more chances are left to recover the files.

Text presented in the infected email messages:

From: Incoming Fax
Subject: Scanned Image from a Xerox WorkCentre

Please open the attached document. It was scanned and sent to you using Xerox WorkCentre Pro.
Number of Images:3
Attachment File Type: ZIP [PDF]

WorkCentre Pro Location: Machine location not set
Device Name: IZ38F56PS2

Attached files is scanned image in PDF format.

Message presented in the ransom payment page:

Your files are encrypted. To get the key to decrypt files you have to pay 500 
USD/EUR If payment is not made before [date - time] the cost of decrypting files will 
increase 2 times and will be 1000 USD/EUR. We are present a special software - 
CryptoDefense Decrypter - which is allow to decrypt and return control to all your 
encrypted files. How to buy CryptoDefense decrypter?
1. You should register Bitcoin waller
2. Purchasing Bitcoins - Although it's not yet easy to buy bit coins, it's getting simpler 
every day.
3. Send 1.09 BTC to Bitcoin address: 1EmLLj8peW292zR2VvumYPPa9wLcK4CPK1
4. Enter the Transaction ID and select amount.
5. Please check the payment information and click "PAY".
Community content is available under CC-BY-SA unless otherwise noted.