Ransomware Takes from Other Products

Tuesday, August 19, 2014 @ 04:08 PM gHale


A new ransomware contains elements from CryptoLocker and CryptoWall but has a different underlying code, researchers said.

Called TorrentLocker, the new ransomware proceeds to encrypt specific files on the affected computer and then displays a ransom message similar to that of CryptoLocker, said researchers at security provider iSIGHT Partners.

RELATED STORIES
New Open Source Ransomware
Updated Ransomware for Android
New Exploit Kit Delivering Ransomware
Java to Android Ransomware Rescue

While the look may be different, the “overall feel of the malware looks like CryptoWall.”

The fee for decrypting the locked files is in the form of Bitcoin crypto-currency, purchased from certain Australian Bitcoin exchanges, to a provided address.

Before starting to encrypt the data, TorrentLocker establishes a secure communication channel with a command and control (C&C) server available at a hardcoded address, from where it downloads a certificate and the configuration files.

The encryption algorithm used for encryption is Rijndael, a symmetric cipher that relies on a password to keep the information under a lock, the researchers said.

More advanced crypto-malware rely on complex asymmetric cryptography that makes use of a pair of keys, one public (used for encryption) and one private (used for decryption). The private key is in the hands of the attacker and files cannot return to their original state without it.

It appears the password for freeing the data is not available on the local machine and it is a different one for each system.

As a sign of good faith and to make sure the ransom ends up paid, the malware operator also provides the victim the possibility to decrypt one file, free of charge.

TorrentLocker distributes via spam, so a good way to avoid this sort of trouble is to avoid accessing links in unsolicited emails. As is the case with ransomware, a deadline for making the payment is available.

Researchers said in order to achieve persistency on the compromised machine, the malware and its configuration data end up stored in the Windows Registry. “The registry contains items such as the original binary, ransom message, install locations, autorun key and number of encrypted files,” said iSIGHT’s Richard Hummel in a blog post.

There is no evidence this malware strain is available on underground forums, which could mean the group behind it wrote the malicious code themselves.



Leave a Reply

You must be logged in to post a comment.