Pinterest Stumbleupon Whatsapp
Ads by Google

Cryptolocker might be dead and buried CryptoLocker Is Dead: Here's How You Can Get Your Files Back! CryptoLocker Is Dead: Here's How You Can Get Your Files Back! Read More , but there’s a new piece of malware looking to take the Ransomware crown. It’s called TorrentLocker, and it’s positively evil.

TorrentLocker is said to borrow features from both the infamous CryptoLocker ransomware, as well as CryptoWall. Despite being a derivative of these malware programs, the security researchers who discovered and analyzed it – iSIGHT Partners – are referring to it as an entirely new strain.

iSIGHT Partners are a well respected security research firm based in Dallas, Texas with offices and employees in 16 countries worldwide.

Consumers hit by TorrentLocker will find their files encrypted with strong, near-unbreakable encryption, and will only be able to get their files back by paying a ransom listed in Australian dollars.

Curious about what makes TorrentLocker so particularly evil? Read on for more.

A Familiar Threat

What’s especially fascinating about TorrentLocker is how it borrows its naming and an aesthetic from CryptoLocker and CryptoWall, despite being an entirely different animal. Once infected, the malware will identify itself as ‘CryptoLocker’ (which I once described as the ‘nastiest malware ever’ CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker is a type of malicious software that renders your computer entirely unusable by encrypting all of your files. It then demands monetary payment before access to your computer is returned. Read More ), and will contain a short Q&A that seemingly has been cribbed in its entirety from CryptoWall.

Ads by Google

The etymology of TorrentLocker comes from a modification made to the Windows registry What Is The Windows Registry Editor & How Do I Use It? [MakeUseOf Explains] What Is The Windows Registry Editor & How Do I Use It? [MakeUseOf Explains] The Windows registry can be scary at first glance. It’s a place where power users can change a wide variety of settings that aren’t exposed elsewhere. If you’re searching for how to change something in... Read More under ‘HKCU\Software\Bit Torrent Application\’. There’s no real evidence that TorrentLocker infects via file-sharing protocols and networks, however. Most installations of the virus seemingly come from people opening attachments from spam emails.

torrentlocker-bitcoin

Much like CryptoLocker, TorrentWall demands a ransom Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More . For users to get their files back, users will have to fork out $500AUD ($464 USD, at the time of writing). And, much like CryptoLocker, users have to pay the ransom in Bitcoin. TorrentLocker suggests a number of Bitcoin exchanges BitCoin – Buy, Sell & Trade Using Anonymous Peer-To-Peer Currency BitCoin – Buy, Sell & Trade Using Anonymous Peer-To-Peer Currency Earlier this month two prominent US politicians wrote to US Attorney General Eric Holder to express concerns about the rise of a new online currency – BitCoin. The anonymous, peer-to-peer currency has become very popular... Read More based in Australia. This, combined with the chosen currency of the ransom, suggests that this piece of malware is aimed at Australian Internet users.

Malware aimed at a specific country isn’t especially new. Stuxnet was aimed at SCADA systems in Iran, whilst other ransomware software has used the names and logos of the British Serious Organized Crime Agency (SOCA), as well as the Federal Bureau of Investigations.

What’s New Though, and how does it work?

TorrentLocker looks like Cryptolocker. It ‘quacks’ like Cryptolocker. But it’s not CryptoLocker. Indeed, it’s vastly different at the code level, and should be considered as an entirely unique strain of malware, rather than a rebranding of Cryptolocker.

torrentlocker-cryptolocker

Once the TorrentLocker executable has been run, it makes a modification to explorer.exe. This contains most of the functionality of TorrentLocker, including the code used to communicate with the command and control server, as well as encrypt the files on the system.

The malware duplicates itself in the ‘%WINDOWS%/%WOW64%’ folder. This copy is randomly named, possibly to make things difficult for any anti-virus programs running on the system at the time. It also executes multiple installations of itself simultaneously, potentially to obfuscate its behavior.

Another copy of the malware is also placed in the Windows registry, in addition to an autorun key being created. As you might expect, this causes the malware to launch on startup.

For the malware to start encrypting files, it must first be able to communicate with the command and control (C&C) server. It tries to make a connection to an IP address hard-coded in the malware, which it then authenticates against. If the authentication is successful, the malware starts encrypting files. Once it has completed its task, it will then inform the user.

Users can verify that decryption is possible by restoring a single file of their choice for free. Unlike CryptoLocker, victims do not have to pay within a specified time period, lest the decryption keys be deleted. However, the cost of decryption doubles to $1000 AUD after a time period has elapsed.
torrentlocker-buydecryption

Interestingly, the ransomware doesn’t actually describe paying the ransom in such terms. Rather, victims ‘buy’ the software that is necessary to decrypt their files. The ransom pages are written in crude, broken English, which suggests that the person (or persons) behind TorrentWall are not native English speakers.

The ransom page also features a form for contacting the attacker, in addition to listing Bitcoin, Dogecoin Dogecoin: How A Meme Became the 3rd Largest Digital Coin Dogecoin: How A Meme Became the 3rd Largest Digital Coin Read More and Litecoin Missed Out On The Bitcoin Gold Rush? Get In On The Litecoin Silver Rush Instead Missed Out On The Bitcoin Gold Rush? Get In On The Litecoin Silver Rush Instead If you missed the Bitcoin mining craze and still want to get in on pick-axing a virtual currency, you’re in luck! In 2011 Litecoin established itself as a major player within the world of electronic... Read More addresses where grateful victims can make a donation. This is voluntary, although why one would give a gift to someone who extorted a sizable amount of cash from you is somewhat beyond my comprehension.

What Can I Do If Infected?

This is a bit tricky. Right now, there’s no other option to get your files back, other than to pay the ransom. However, as we saw with CryptoLocker CryptoLocker Is Dead: Here's How You Can Get Your Files Back! CryptoLocker Is Dead: Here's How You Can Get Your Files Back! Read More , it’s possible for people to get their files back when the Command and Control servers are taken over, and the list of decryption keys recovered.

malware

In the interim, ensure that you’ve got a backup of your files that is not persistently connected to your computer via USB or network share. Furthermore, invest in some solid antivirus (not Microsoft Security Essentials Why You Should Replace Microsoft Security Essentials With A Proper Antivirus Why You Should Replace Microsoft Security Essentials With A Proper Antivirus Read More ) and avoid opening attachments from unsolicited or suspicious emails.

If you do get infected, you are recommended to buy a cheap external hard drive (or a sufficiently capacious USB flash drive) and copy over your encrypted files. This gives you the possibility of eventually recovering your files at a later date, and without paying a ransom. You’d then be encouraged to reinstall Windows (or perhaps give Linux – a much more secure operating system Linux Distros For The Paranoid: What Are The Most Secure Distros? Linux Distros For The Paranoid: What Are The Most Secure Distros? If you're a Linux user, security was probably one of the benefits that made you switch from whatever operating system you were using before. Linux has a great reputation for being one tough nut to... Read More – a try), to remove the malware for good.

It’s tempting to pay the ransom, although you should remember that you would only then be making these types of ransomware financially worthwhile to the attacker.

Have You Been Hit?

Lost all your files? Been forced to pay a ransom? Know anyone who has? I’d love to hear your story. The comments box is below.

  1. Antti
    September 10, 2014 at 5:04 am

    Our blog post about recovering files encrypted by TorrentLocker is now available in SANS blog: digital-forensics.sans.org/blog/2014/09/09/torrentlocker-unlocked

  2. T
    August 28, 2014 at 4:38 am

    Huh... Any chance this could go under a diffferent name? About 2 weeks ago I got hit by something called ZeroLocker... I had to wipe my hard drive... Which really sucks because what I wiped was the result of 2 years of practically CONSTANT computer usage.... About 300 - 400 gb of pictures, programs, VST plugins, games, documents, etc... REALLY REALLY ticked me off... Although I saved the bitcoin address it gave...

    • Eli
      August 28, 2014 at 5:48 am

      No. These are two different programs made by different companies.

    • Matthew H
      August 29, 2014 at 3:39 pm

      Yeah, this is a completely distinct variant on Cryptolocker. New at the code-base, and everything.

  3. Eli
    August 27, 2014 at 12:23 pm

    Many cloud backup sites have versioning. I wnoder id older versions are also encrypted.

    I found two vaccination tools: CryptoGuard (part of the free HitmanPro.Alert) and Cryptoprevent.
    Did someone here try those ?

  4. Antti
    August 27, 2014 at 12:21 pm

    Nice blog post. We at Nixu (www.nixu.com/en) have been working on a case related to torrenlocker for past few days and we have come up with a solution to decrypt files that torrentlocker has encrypted. The solution is not yet 100% bullet proof, but does work if you have a file that has been encrypted and a copy of the same file in cleartext (for example from a backup). Having both the encrypted version and a clear text version of the same file allows us to extract the encryption key. At least the version of torrentlocker we encountered encrypts all files in a single computer with the same key, so recovering the key allows us to decrypt all the files. In practice this means that having a backup of just one file allows you to decrypt all the encrypted files.

    At the moment we are writing a more detailed description how the decryption can be done. Hopefully we can release it soon and help people that have encountered torrentlocker.

    • Matthew H
      August 29, 2014 at 3:38 pm

      That's really interesting. I'll check your stuff out.

  5. Ahmed K
    August 27, 2014 at 11:10 am

    Most GAMING systems are still windows only!

    • Matthew H
      August 29, 2014 at 3:37 pm

      Steam OS looks set to change that.

  6. Sanuja R
    August 26, 2014 at 2:39 pm

    At this time, I guess one of the best ways of preventions are by blocking the following sites:

    http://udm744mfh5wbwxye.onion.cab
    http://udm744mfh5wbwxye.onion
    http://udm744mfh5wbwxye.tor2web.fi / http://*.tor2web.fi
    http://udm744mfh5wbwxye.tor2web.org / http://*.tor2web.org
    http://udm744mfh5wbwxye.tor4u.net / http://*.tor4u.net
    http://www.w3.org
    https://knowledgedbase.info
    http://decryptionguru.com

    * = All subdomains = Safer Option

    Unless they decide to change things, these setting should be safe. I also suggest to install something like Cryptoprevent (foolishit.com/vb6-projects/cryptoprevent). You should be safe for now with my tips.

    Based on Sandbox report at http://www.file-analyzer.net/analysis/4783/14343/1/html.

    Please reply if you have any issues.

    • Matthew H
      August 29, 2014 at 3:37 pm

      That's very helpful. Thanks heaps!

  7. Erica
    August 26, 2014 at 6:42 am

    How about these so called "good security minded people" go back to the way in which they use to purchase things and conduct business before all this Bitcoin became fashionable and a haven for criminal scum to conduct business?

  8. Erica
    August 26, 2014 at 1:49 am

    What I don't understand is why are the servers not shut down and the owners and or the hosting company responsible for allowing these cretins to get away with what they do prosecuted?

    Furthermore I think this Bitcoin system needs to be outlawed and taken down as it allows criminals to conduct their evil business and continue to steal from people! If you take away Bitcoin then how else will these evil oxygen thieving petty criminal scum bags get paid?

    • William B
      August 26, 2014 at 3:32 am

      Removing Bitcoin would also remove honest customers from conducting harmless business and continue to trade with kind people. If you get rid of Bitcoin, how else will these good security minded people purchase items.

      You can't think of things one sidedly.

    • Matthew H
      August 27, 2014 at 10:56 am

      Because they depend on levels of obfuscation and anonymity in order to avoid being prosecuted. Identifying the people behind the likes of TorrentLocker will be incredibly hard.

      With respect to Bitcoin, I understand your point. However, Bitcoin was designed to be resistant to government interference. Banning it is just not tenable.

      Thanks for your comment!

  9. Rianne R
    August 25, 2014 at 6:44 pm

    That smiley looks familiar. Numerous times my PC would freeze and it would show a message with a smiley, that FAQ and a link. It just looks suspicious and I don't think an official notification would have that, and then it would say 'don't turn off while we check for errors'. Presence of mind helped me and I would immediately shutdown the computer. I observed that my computer would do restarts but I couldn't pinpoint the problem. I tried uninstalling new softwares I've downloaded and the problem stopped. Maybe I got the malware from one of those softwares. I'm using Windows btw.

    • Matthew H
      August 27, 2014 at 10:55 am

      Strange. Yeah, you were right to be suspicious. That sounds very, very fishy.

  10. Warren B
    August 25, 2014 at 6:12 pm

    I actually got hit when the Cryptolocker Malware hit. However, I am a student right now, I had just moved all of my video and music files to an external backup, plus I have 5, maybe 6 cloud accounts that store my photos, documents, and backup files. As far as the computer, it was an older laptop system, and the fan was giving out.

    I was actually considering going to a dual desktop/tablet combo (I can't completely go tablet being a computer engineering student and requiring Windows for many of the software programs for school, but virtual desktop rules). So the Malware actually got the HDD spinning so much while I was trying fix the problem that the system overheated, and I had to do the upgrade as I had planned. However, as I said, all my files were backed up, plus the semester was over, so I had no issues with computer use.

    So I got burned the first time, it helped out a lot in the end, but I never want to go through that type of thing again.

    • Matthew H
      August 27, 2014 at 10:54 am

      Ah, unlucky man. That sounds like a real headache!

    • Eli
      August 31, 2014 at 9:13 am

      Warren,

      Can you please tell us which cloud backups you used, and if the files there were encrypted too.
      Thanks

    • Warren B
      August 31, 2014 at 5:21 pm

      At the time, I didn't have any real backup services, but just straight cloud services. I have had a Microsoft account for a long time, so when they started revamping those services, I got 25gb of storage there. Plus, my wife and I keep a shared Dropbox account, and thanks to the purchase of my Galaxy Note 10.1 and my wife's HTC phone, we had just put 75gb of storage in there. As I said, I had all of my video, music files, and large program backups were on external HDDs, DVDs, or both. So all that was left was document, picture, some random Android files (easier to keep on cloud than HDD by nature).

      I had 6 accounts, between the 2 mentioned above, I had 100gb of storage, and the other 4 gave an extra 35gb (Amazon-5, Mega-20, Mediafire-5, Box-5). I had all of my documents on my Microsoft account, my pictures and Android files were on Dropbox, I had some various purchases of books and music on Amazon, and Mega, Mediafire, and Box, I had just started onto before the malware struck my system.

      As far as your question about encryption, since I have to use the files on various types of systems (including Android, Win, Linux, Mac), I could encrypt the files if I could find software that could work across the various OSes, but so far, I haven't.

  11. Dany B
    August 25, 2014 at 6:10 pm

    The reason apple products are not mentionned, is because they are overpriced. Ab also peoples that already have a computer won't want to buy a new one at the overprice that apple charge for them, but they might want to change to a free OS.

    • Kevin M.
      August 26, 2014 at 2:44 am

      Really Christian? In your self-promoted wisdom you actually think that Apple is somehow superior and therefore unaffected? You truly are as ignorant as those that you condemn for using Windows. The fact is you both are wrong, there is no such thing as a secure environment on any system and especially any that are connected to the world wide web!

      Truly your advice is about as faulty as it comes and at least this author respects the fact that this virus is dangerous and for that we should all be thanking him for alerting us to the existence of this crapware. You are the true MORON here dumb ass!

    • Kevin M.
      August 26, 2014 at 3:05 am

      Sorry Dany, not used to the reply being on top (like everywhere else), plus the shading they setup is weak at best and my monitors barely show the separation. Clearly you can see the reply was meant for the idiot you replied to.

  12. Greg Rajewski
    August 25, 2014 at 5:32 pm

    Oh Christian ...

    The ONLY reason Apple systems are considered "safer" than computers running Windows is because of its smaller market share and not due to its immunity to infection.

    Apple OS and iOS-based systems have been targeted by malware coders in recent years due to increased user adoption.* Linux at this time is the safest option because it has the smallest global share of non-commercial computers running on a non-Windows OS (fyi, I am a loyal Windows user).

    That being said, Matthew's advice is totally worthy of respect.

    * http://macduel.com/can-macs-get-viruses

    • Matthew H
      August 27, 2014 at 10:51 am

      Thanks for your comment man!

  13. Christian Hartleben
    August 25, 2014 at 4:51 pm

    Apparently, malware will strike Windows users over their heads with a two-by-four until their skulls crack. It's 2014, there is no excuse for relying on useless anti-virus software to protect you. Decades ago, Microsoft engineered a fundamentally flawed product, with no concept of security. At this point, why have sympathy for the willing, volunteer victims of Cryptolocker?

    Timidly, as a last thought, Matthew suggests that Windows users might switch to Linux. How ridiculous is it, not to even mention Apple? The users could even still safely run their incompetent Windows OS and apps with the internet access disabled. I do not think the advice of this author is worthy of respect.

    • Matthew H
      August 27, 2014 at 10:51 am

      Not that ridiculous. The cheapest Apple laptop is just short of $1000. Ubuntu is free, and doesn't require the purchase of new hardware.

  14. DaPabler
    August 25, 2014 at 4:07 pm

    You can also just drag files to a temp folder (without opening or executing) and then upload them to virustotal.com . They scan files and URLs for free with all virus scanning software on the market at once.

    • Matthew H
      August 29, 2014 at 3:36 pm

      Good to know. Cheers!

  15. Eli
    August 24, 2014 at 5:21 am

    1. The fact that it creats an autorun key and connects to a remote operator is typical of all Trojans.
    2. Does WinPatrol recognize the new startup program ?
    3. Are all cloud backups susceptible ?

    • Matthew H
      August 27, 2014 at 10:46 am

      2.) Don't know.
      3.) Depends if they're accessible through Windows Explorer, or are mapped as network drives.

  16. Manny R
    August 24, 2014 at 3:36 am

    Can malware like this be installed if you're not using administrator account?

    • Matthew H
      August 27, 2014 at 10:29 am

      I'm actually not sure. That's a really good question. You could definitely mitigate against it with some GPO settings, but I'm not sure if it requires admin privileges to run.

      Let me look into it and get back to you.

    • Deborah
      August 28, 2014 at 11:07 pm

      If you can install something using that account, probably.

  17. Sam
    August 23, 2014 at 9:17 pm

    Almost all my documents are stored on the cloud, but I wonder if the encryption could seep into Google Drive while it is syncing your files.. That's a scary prospect.

    • Rafael
      August 24, 2014 at 7:09 am

      I never execute attachments unless I expect them, so there's no problem for me. Be careful with your info on the cloud, maybe this malware could encrypt your files and when the Google Drive client detect changes, it will sync them to the cloud.

    • Matthew H
      August 27, 2014 at 10:28 am

      Best thing about using Dropbox (not sure about Drive) is that it's versioned. If your cloud-based files *do* end up getting encrypted, you an easily revert to an earlier file.

      Cheers for your comment!

  18. DMJ
    August 23, 2014 at 6:51 am

    Do you have any details in relation to the phishing email which launches the ransom ware please?

    • Matthew H
      August 27, 2014 at 10:26 am

      I'm afraid to say I don't. Information was pretty thin on the ground when it comes to how the malware is deployed. All I know is that the delivery medium is email.

  19. Jim
    August 23, 2014 at 5:31 am

    "It tries to make a connection to an IP address hard-coded in the malware, "

    Does anyone know what that IP address is? If so, creating a blocking filter or redirect might be effective to avoid the issue and give time for malware/AV tools to provide detection definitions and thwart it.

    • Matthew H
      August 27, 2014 at 10:24 am

      Probably. Getting the IP address would just be a matter of watching the network traffic with Wireshark.

  20. Keith
    August 23, 2014 at 1:55 am

    If your computer gets infected, would you not be able to boot up with a Linux live cd and retrieve your files that way, or does this virus affect the files themselves?

    • Averyvh
      August 23, 2014 at 3:54 am

      No, the files will be encrypted. You can retrieve them in the hope that someday someone will find a way to decrypt them, but they will be useless to you in the meantime.

    • Adam
      August 26, 2014 at 5:04 am

      Encryption is not an immediate process. It will likely take hours or even days to encrypt your hard drive. If you powered off immediately, and booted off a live-CD, you would be able to recover everything that had yet to be encrypted.

      A better solution is to backup locally AND remotely. Use an online backup service that offers "revisioning". This way, even if the backup software uploads the encrypted file, you will be able to restore an older, unencrypted version.

    • Matthew H
      August 27, 2014 at 10:24 am

      What Averyvh said. They're encrypted. Moving them to another computer will do nothing to address that.

      Adam: Quite true. I'd add that it's probably quicker than you mention, as they're only encrypting files with specific extensions. Futhermore, they don't inform you they're encrypting your files. You'd probably only find out once it's too late.

  21. dragonmouth
    August 22, 2014 at 8:26 pm

    Would reformatting the HD or SSD and then restoring from a backup get rid of TorrentLocker, assuming the backup is clean?

    Based on the way the malware takes over a PC, I assume that it is Windows-only. So far no Linux version has been released to the best of your knowledge?

    • Still
      August 22, 2014 at 11:30 pm

      Theoretically, yes.

    • Cody
      August 24, 2014 at 3:26 am

      good way to tell is open up Virtual Box or another piece of virtualization software, put a few junk files in it, get your hands on a piece of this software, if it is a .exe file, then it's DEFINITELY Windows-only, if it's .sh, .run or some other UNIX executable, it's not Windows-only). the virtualization is for safety in case things go horribly wrong.

    • Matthew H
      August 27, 2014 at 10:20 am

      It would, yes. I'm also not aware of a Linux variant of TorrentLocker at this time.

      I'm being careful to explicitly say 'TorrentLocker', as it's a unique strain of ransomware, as mentioned in the article.

  22. Amir M
    August 22, 2014 at 6:30 pm

    Nice article, very informative except the part of where you say that they are not native English speakers. I don't care where are they from, if they try to do anything like forcing you to buy your data its not ok. i think that speak fluent English and i am not native English speaker so...

    • Matthew H
      August 22, 2014 at 6:46 pm

      I didn't say that it was acceptable because they're native speakers. In fact, my tone has been pretty condemnatory of TorrentLocker throughout the piece.

Leave a Reply

Your email address will not be published. Required fields are marked *