Pinterest Stumbleupon Whatsapp
Advertisement

Cryptolocker might be dead and buried CryptoLocker Is Dead: Here's How You Can Get Your Files Back! CryptoLocker Is Dead: Here's How You Can Get Your Files Back! Read More , but there’s a new piece of malware looking to take the Ransomware crown. It’s called TorrentLocker, and it’s positively evil.

TorrentLocker is said to borrow features from both the infamous CryptoLocker ransomware, as well as CryptoWall. Despite being a derivative of these malware programs, the security researchers who discovered and analyzed it – iSIGHT Partners – are referring to it as an entirely new strain.

iSIGHT Partners are a well respected security research firm based in Dallas, Texas with offices and employees in 16 countries worldwide.

Consumers hit by TorrentLocker will find their files encrypted with strong, near-unbreakable encryption, and will only be able to get their files back by paying a ransom listed in Australian dollars.

Curious about what makes TorrentLocker so particularly evil? Read on for more.

A Familiar Threat

What’s especially fascinating about TorrentLocker is how it borrows its naming and an aesthetic from CryptoLocker and CryptoWall, despite being an entirely different animal. Once infected, the malware will identify itself as ‘CryptoLocker’ (which I once described as the ‘nastiest malware ever’ CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker is a type of malicious software that renders your computer entirely unusable by encrypting all of your files. It then demands monetary payment before access to your computer is returned. Read More ), and will contain a short Q&A that seemingly has been cribbed in its entirety from CryptoWall.

Advertisement

The etymology of TorrentLocker comes from a modification made to the Windows registry What Is The Windows Registry Editor & How Do I Use It? [MakeUseOf Explains] What Is The Windows Registry Editor & How Do I Use It? [MakeUseOf Explains] The Windows registry can be scary at first glance. It’s a place where power users can change a wide variety of settings that aren’t exposed elsewhere. If you’re searching for how to change something in... Read More under ‘HKCU\Software\Bit Torrent Application\’. There’s no real evidence that TorrentLocker infects via file-sharing protocols and networks, however. Most installations of the virus seemingly come from people opening attachments from spam emails.

torrentlocker-bitcoin

Much like CryptoLocker, TorrentWall demands a ransom Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More . For users to get their files back, users will have to fork out $500AUD ($464 USD, at the time of writing). And, much like CryptoLocker, users have to pay the ransom in Bitcoin. TorrentLocker suggests a number of Bitcoin exchanges BitCoin – Buy, Sell & Trade Using Anonymous Peer-To-Peer Currency BitCoin – Buy, Sell & Trade Using Anonymous Peer-To-Peer Currency Earlier this month two prominent US politicians wrote to US Attorney General Eric Holder to express concerns about the rise of a new online currency – BitCoin. The anonymous, peer-to-peer currency has become very popular... Read More based in Australia. This, combined with the chosen currency of the ransom, suggests that this piece of malware is aimed at Australian Internet users.

Malware aimed at a specific country isn’t especially new. Stuxnet was aimed at SCADA systems in Iran, whilst other ransomware software has used the names and logos of the British Serious Organized Crime Agency (SOCA), as well as the Federal Bureau of Investigations.

What’s New Though, and how does it work?

TorrentLocker looks like Cryptolocker. It ‘quacks’ like Cryptolocker. But it’s not CryptoLocker. Indeed, it’s vastly different at the code level, and should be considered as an entirely unique strain of malware, rather than a rebranding of Cryptolocker.

torrentlocker-cryptolocker

Once the TorrentLocker executable has been run, it makes a modification to explorer.exe. This contains most of the functionality of TorrentLocker, including the code used to communicate with the command and control server, as well as encrypt the files on the system.

The malware duplicates itself in the ‘%WINDOWS%/%WOW64%’ folder. This copy is randomly named, possibly to make things difficult for any anti-virus programs running on the system at the time. It also executes multiple installations of itself simultaneously, potentially to obfuscate its behavior.

Another copy of the malware is also placed in the Windows registry, in addition to an autorun key being created. As you might expect, this causes the malware to launch on startup.

For the malware to start encrypting files, it must first be able to communicate with the command and control (C&C) server. It tries to make a connection to an IP address hard-coded in the malware, which it then authenticates against. If the authentication is successful, the malware starts encrypting files. Once it has completed its task, it will then inform the user.

Users can verify that decryption is possible by restoring a single file of their choice for free. Unlike CryptoLocker, victims do not have to pay within a specified time period, lest the decryption keys be deleted. However, the cost of decryption doubles to $1000 AUD after a time period has elapsed.
torrentlocker-buydecryption

Interestingly, the ransomware doesn’t actually describe paying the ransom in such terms. Rather, victims ‘buy’ the software that is necessary to decrypt their files. The ransom pages are written in crude, broken English, which suggests that the person (or persons) behind TorrentWall are not native English speakers.

The ransom page also features a form for contacting the attacker, in addition to listing Bitcoin, Dogecoin Dogecoin: How A Meme Became the 3rd Largest Digital Coin Dogecoin: How A Meme Became the 3rd Largest Digital Coin Read More and Litecoin Missed Out On The Bitcoin Gold Rush? Get In On The Litecoin Silver Rush Instead Missed Out On The Bitcoin Gold Rush? Get In On The Litecoin Silver Rush Instead If you missed the Bitcoin mining craze and still want to get in on pick-axing a virtual currency, you’re in luck! In 2011 Litecoin established itself as a major player within the world of electronic... Read More addresses where grateful victims can make a donation. This is voluntary, although why one would give a gift to someone who extorted a sizable amount of cash from you is somewhat beyond my comprehension.

What Can I Do If Infected?

This is a bit tricky. Right now, there’s no other option to get your files back, other than to pay the ransom. However, as we saw with CryptoLocker CryptoLocker Is Dead: Here's How You Can Get Your Files Back! CryptoLocker Is Dead: Here's How You Can Get Your Files Back! Read More , it’s possible for people to get their files back when the Command and Control servers are taken over, and the list of decryption keys recovered.

malware

In the interim, ensure that you’ve got a backup of your files that is not persistently connected to your computer via USB or network share. Furthermore, invest in some solid antivirus (not Microsoft Security Essentials Why You Should Replace Microsoft Security Essentials With A Proper Antivirus Why You Should Replace Microsoft Security Essentials With A Proper Antivirus Read More ) and avoid opening attachments from unsolicited or suspicious emails.

If you do get infected, you are recommended to buy a cheap external hard drive (or a sufficiently capacious USB flash drive) and copy over your encrypted files. This gives you the possibility of eventually recovering your files at a later date, and without paying a ransom. You’d then be encouraged to reinstall Windows (or perhaps give Linux – a much more secure operating system Linux Distros For The Paranoid: What Are The Most Secure Distros? Linux Distros For The Paranoid: What Are The Most Secure Distros? If you're a Linux user, security was probably one of the benefits that made you switch from whatever operating system you were using before. Linux has a great reputation for being one tough nut to... Read More – a try), to remove the malware for good.

It’s tempting to pay the ransom, although you should remember that you would only then be making these types of ransomware financially worthwhile to the attacker.

Have You Been Hit?

Lost all your files? Been forced to pay a ransom? Know anyone who has? I’d love to hear your story. The comments box is below.

Leave a Reply

Your email address will not be published. Required fields are marked *