14 DAY TRIAL // An active phishing campaign that is probably targeting Australian users has been spotted by security researchers to drop a new type of ransomware, which contains elements from CryptoLocker and CryptoWall but with a totally different underlying code.
Dubbed TorrentLocker, the fresh ransomware proceeds to encrypt specific files on the affected computer and then displays a ransom message similar to that shown by the infamous CryptoLocker (for which there is a free file decryption service available).
However, security experts from iSIGHT Partners, a cyber threat intelligence company, have noticed that the “overall feel of the malware looks like CryptoWall.”
The fee for decrypting the locked files (documents, archives, backup data, multimedia items, databases) is requested in Bitcoin crypto-currency, purchased from certain Australian Bitcoin exchanges, to a provided address.
Before starting to encrypt the data, TorrentLocker establishes a secure communication channel with a command and control (C&C) server available at a hardcoded address, from where it downloads a certificate and the configuration files.
In lack of an active Internet connection, the malware cannot proceed to encrypt the files on the compromised system. Once the host is reached, certificate information is exchanged and the encryption begins.
According to the security experts, the encryption algorithm used for encryption is Rijndael, a symmetric cipher that relies on a password to keep the information under a lock.
More advanced crypto-malware rely on complex asymmetric cryptography that makes use of a pair of keys, one public (used for encryption) and one private (used for decryption). The private key is in the hands of the threat actor and files cannot be returned to their original state without it.
It appears that the password for freeing the data is not available on the local machine and it is a different one for each system.
As a sign of good faith and to make sure that the ransom fee is paid, the malware operator also provides the victim the possibility to decrypt one file, free of charge.
TorrentLocker seems to be distributed through spam, so a good way to avoid this sort of trouble is to avoid accessing links in unsolicited emails. As is the case with ransomware, a deadline for making the payment is available.
Researchers observed that in order to achieve persistency on the compromised machine, the malware and its configuration data is stored in the Windows Registry. “The registry contains items such as the original binary, ransom message, install locations, autorun key and number of encrypted files,” writes Richard Hummel in a blog post.
There is no evidence that this malware strain is being traded on underground forums, which suggests that the group behind it wrote the malicious code themselves and took inspiration from the ransom pages of other crypto-malware to create a false lead.
