Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43434
  • Total Topics: 16528
  • Online today: 3114
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 2
Guests: 3036
Total: 3038









Author Topic: Researchers unlock TorrentLocker encryption @ZeljkaZorz  (Read 5193 times)

0 Members and 1 Guest are viewing this topic.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Researchers unlock TorrentLocker encryption @ZeljkaZorz
« on: 13. September 2014., 17:08:50 »
SOURCE

Researchers unlock TorrentLocker encryption

Posted on 11.09.2014 by http://twitter.com/ZeljkaZorz

A team of Finnish researchers has discovered that the files encrypted by the recently unearthed TorrentLocker ransomware can be decrypted without paying the ransom - if the user has at least one of the encrypted files backed up somewhere, and that file is over 2MB in size.

Previous research established that TorrentLocker is an entirely new strain of ransomware that imitates both CryptoLocker and CryptoWall, making it obvious that the crooks behind it are trying to capitalize on the fact that these two types of malware are well known and feared.

Security experts from iSIGHT Partners have also said that, despite the crooks claiming that the malware uses RSA-2048 encryption, it in fact uses the Rijndael algorithm.

Researchers Taneli Kaivola, Patrik Nisén and Antti Nuopponen, who work for information security consultancy Nixu, have analyzed a TorrentLocker variant and have more information to share.

Crediting Trend Micro reseachers with the discovery that the TorrentLocker "encrypted files by combining a keystream to the file with exclusive or (XOR) operation," they also unearthed that the malware does contain AES code, and SHA256 and SHA512 hash algorithms.

"Exact details on how the encryption is done still remain unknown, but it strongly appears that the encryption is done with a stream cipher that is built using AES and hash functions. The fact that the keystream consists of 16 byte blocks also supports the assumption that AES is used to produce the keystream," they pointed out.

The malware authors' mistake is the following: the malware uses the same keystream to encrypt all the files within the same infection.

"As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file," they shared.

"Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact."

They posit that the choice of only encrypting the first 2MB was made to speed up the encryption process, but this also allowed researchers to recover the keystream.

"The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files," they concluded, and invited affected users to get in touch.

While this news is very welcome, this revelation will inevitably make TorrentLocker's developers improve the encryption implementation scheme, so it's a good idea - if you haven't already - to start making regular backup of your files.

More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info

Researchers unlock TorrentLocker encryption @ZeljkaZorz
« on: 13. September 2014., 17:08:50 »

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Researchers unlock TorrentLocker encryption @ZeljkaZorz
« Reply #1 on: 14. September 2014., 09:09:45 »
D., do you have any direct link to download decryption tool or key generator?

It'll be useful for SCF's visitors...

Thanks,

S.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Researchers unlock TorrentLocker encryption @ZeljkaZorz
« Reply #2 on: 18. September 2014., 20:23:21 »
D., do you have any direct link to download decryption tool or key generator?

It'll be useful for SCF's visitors...

Thanks,

S.

FROM: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

** Visitors looking for just the Decrypter and not the TorrentLocker Analysis can Download and read about it at the bottom of the page or download it from Here  **  http://download.bleepingcomputer.com/Nathan/TorrentUnlocker.exe
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: Researchers unlock TorrentLocker encryption @ZeljkaZorz
« Reply #3 on: 20. September 2014., 09:49:06 »
It's "fixed" now... :thumbsdown: No more free unlocking: http://www.pcworld.com/article/2685432/encryption-goof-fixed-in-torrentlocker-filelocking-malware.html


Quote
"TorrentLocker’s developers ironically made a similar mistake as the creators of another ransomware program, CryptoDefense. Researchers found earlier this year that CryptoDefense left a decryption key on a person’s computer, although the error was soon fixed."

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Re: Researchers unlock TorrentLocker encryption @ZeljkaZorz
« Reply #4 on: 20. September 2014., 14:32:42 »
:) sigh...
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info

Re: Researchers unlock TorrentLocker encryption @ZeljkaZorz
« Reply #4 on: 20. September 2014., 14:32:42 »

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
BREAKING: MASSIVE HACK ON AUSTRALIAN COMPUTERS, DEMANDS BITCOIN
« Reply #5 on: 21. September 2014., 02:39:36 »
INTERESTING read (non-techie) BREAKING: MASSIVE HACK ON AUSTRALIAN COMPUTERS, DEMANDS BITCOIN: http://www.cryptocoinsnews.com/massive-hack-on-australian-computers-demands-bitcoin/

Related: Unlock your PC infected by CryptoLocker for FREE!: http://scforum.info/index.php/topic,9272.msg25758.html#msg25758

Devvie
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info

BREAKING: MASSIVE HACK ON AUSTRALIAN COMPUTERS, DEMANDS BITCOIN
« Reply #5 on: 21. September 2014., 02:39:36 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023