Crypto ransomware, a relatively unknown phenomenon a couple of years ago, has exploded into one of the nastier malware problems for Internet users. Variants such as CryptoLocker and CryptoWall have been siphoning money from victims for some time, and now researchers have dissected a newer variant known as TorrentLocker and found that the creators made a key mistake that enables them to recover encrypted files in some circumstances.
TorrentLocker is a separate strain of crypto ransomware from CryptoLocker or CryptoWall, but its creators appear to have taken quite a few notes from the older variants. The look and feel are somewhat similar to CryptoLocker, but it uses a different kind of encryption scheme and the underlying code is not similar to CryptoLocker’s.
“TorrentLocker is a new strain of ransom malware that appears to use components of CryptoLocker and CryptoWall, but the code is completely different from the other two ransomware families. Despite its unique code, the malware suggests to victims that it is CryptoLocker by using a ransom message that is very similar to that used by CryptoLocker. The design of the ransom page is more closely aligned with CryptoWall. The malware installs itself on the infected machine and injects a binary into a legitimate process. This injected binary contains the functionality to encrypt files using the Rijndael algorithm. Once files are encrypted, the victim is prompted with a ransom message and a decryption deadline,” Richard Hummel of iSIGHT Partners wrote in an analysis of the ransomware.
Like many other kinds of crypto ransomware, TorrentLocker is distributed through spam campaigns. Once on a new machine, it encrypts files and communicates with a remote command-and-control server. Victims are required to pay the ransom to decrypt their files in Bitcoin, which is typical of this kind of malware. But a close analysis of TorrentLocker shows that, unlike the classic CryptoLocker ransomware, the encryption is not implemented correctly. TorrentLocker appears to use a stream cipher built upon AES, the current NIST encryption standard, but the creators seem to have made the mistake of using the same keystream repeatedly.
“In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author’s part, as you should never use the keystream more than once,” a new analysis of the malware by researchers Taneli Kaivola, Patrik Nisén and Antti Nuopponen from Finnish security firm NIXU says.
“Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact. If the size of the original file is less then 2MB and if the size is not multiple of 16 bytes, the malware program leaves a few bytes from the end of the file unencrypted (file size modulo 16 to be exact).”
What the researchers found is that, given both the encrypted and plaintext versions of a file that’s more than 2 MB, they could find the entire keystream used to encrypt it. TorrentLocker is nowhere near as widespread a threat as CryptoLocker or CryptoWall, and researchers don’t expect that to change much.
“iSIGHT Partners believes that use of this malware will not grow significantly due to a lack of distinguishing features. The malware lacks distinguishing features; more sophisticated malware types are already available on underground markets,” Hummel of iSIGHT said.