Cryptolocker might be dead and buried, but there’s a new piece of malware looking to take the Ransomware crown. It’s called TorrentLocker, and it’s positively evil.
TorrentLocker is said to borrow features from both the infamous CryptoLocker ransomware, as well as CryptoWall. Despite being a derivative of these malware programs, the security researchers who discovered and analyzed it – iSIGHT Partners – are referring to it as an entirely new strain.
iSIGHT Partners are a well respected security research firm based in Dallas, Texas with offices and employees in 16 countries worldwide.
Consumers hit by TorrentLocker will find their files encrypted with strong, near-unbreakable encryption, and will only be able to get their files back by paying a ransom listed in Australian dollars.
Curious about what makes TorrentLocker so particularly evil? Read on for more.
A Familiar Threat
What’s especially fascinating about TorrentLocker is how it borrows its naming and an aesthetic from CryptoLocker and CryptoWall, despite being an entirely different animal. Once infected, the malware will identify itself as ‘CryptoLocker’ (which I once described as the ‘nastiest malware ever’), and will contain a short Q&A that seemingly has been cribbed in its entirety from CryptoWall.
The etymology of TorrentLocker comes from a modification made to the Windows registry under ‘HKCU\Software\Bit Torrent Application\’. There’s no real evidence that TorrentLocker infects via file-sharing protocols and networks, however. Most installations of the virus seemingly come from people opening attachments from spam emails.
Much like CryptoLocker, TorrentWall demands a ransom. For users to get their files back, users will have to fork out $500AUD ($464 USD, at the time of writing). And, much like CryptoLocker, users have to pay the ransom in Bitcoin. TorrentLocker suggests a number of Bitcoin exchanges based in Australia. This, combined with the chosen currency of the ransom, suggests that this piece of malware is aimed at Australian Internet users.
Malware aimed at a specific country isn’t especially new. Stuxnet was aimed at SCADA systems in Iran, whilst other ransomware software has used the names and logos of the British Serious Organized Crime Agency (SOCA), as well as the Federal Bureau of Investigations.
What’s New Though, and how does it work?
TorrentLocker looks like Cryptolocker. It ‘quacks’ like Cryptolocker. But it’s not CryptoLocker. Indeed, it’s vastly different at the code level, and should be considered as an entirely unique strain of malware, rather than a rebranding of Cryptolocker.
Once the TorrentLocker executable has been run, it makes a modification to explorer.exe. This contains most of the functionality of TorrentLocker, including the code used to communicate with the command and control server, as well as encrypt the files on the system.
The malware duplicates itself in the ‘%WINDOWS%/%WOW64%’ folder. This copy is randomly named, possibly to make things difficult for any anti-virus programs running on the system at the time. It also executes multiple installations of itself simultaneously, potentially to obfuscate its behavior.
Another copy of the malware is also placed in the Windows registry, in addition to an autorun key being created. As you might expect, this causes the malware to launch on startup.
For the malware to start encrypting files, it must first be able to communicate with the command and control (C&C) server. It tries to make a connection to an IP address hard-coded in the malware, which it then authenticates against. If the authentication is successful, the malware starts encrypting files. Once it has completed its task, it will then inform the user.
Users can verify that decryption is possible by restoring a single file of their choice for free. Unlike CryptoLocker, victims do not have to pay within a specified time period, lest the decryption keys be deleted. However, the cost of decryption doubles to $1000 AUD after a time period has elapsed.
Interestingly, the ransomware doesn’t actually describe paying the ransom in such terms. Rather, victims ‘buy’ the software that is necessary to decrypt their files. The ransom pages are written in crude, broken English, which suggests that the person (or persons) behind TorrentWall are not native English speakers.
The ransom page also features a form for contacting the attacker, in addition to listing Bitcoin, Dogecoin and Litecoin addresses where grateful victims can make a donation. This is voluntary, although why one would give a gift to someone who extorted a sizable amount of cash from you is somewhat beyond my comprehension.
What Can I Do If Infected?
This is a bit tricky. Right now, there’s no other option to get your files back, other than to pay the ransom. However, as we saw with CryptoLocker, it’s possible for people to get their files back when the Command and Control servers are taken over, and the list of decryption keys recovered.
In the interim, ensure that you’ve got a backup of your files that is not persistently connected to your computer via USB or network share. Furthermore, invest in some solid antivirus (not Microsoft Security Essentials) and avoid opening attachments from unsolicited or suspicious emails.
If you do get infected, you are recommended to buy a cheap external hard drive (or a sufficiently capacious USB flash drive) and copy over your encrypted files. This gives you the possibility of eventually recovering your files at a later date, and without paying a ransom. You’d then be encouraged to reinstall Windows (or perhaps give Linux – a much more secure operating system – a try), to remove the malware for good.
It’s tempting to pay the ransom, although you should remember that you would only then be making these types of ransomware financially worthwhile to the attacker.
Have You Been Hit?
Lost all your files? Been forced to pay a ransom? Know anyone who has? I’d love to hear your story. The comments box is below.