September 5th, 2014, 15:07 GMT · By Ionut Ilascu
 
http://i1-news.softpedia-static.com/images/news-700/TorrentLocker-Ransomware-Aims-At-UK-Users.jpg - Spoofed Royal Mail page
 
 
The newly discovered TorrentLocker ransomware with file-encryption capabilities has been observed to target users in UK via spam email purporting to come from Royal Mail postal service.
The messages claim to deliver package tracking information, which is an executable file. The malicious item is downloaded from a phishing website, whose link is provided in the email.

“In August, only Australians were targeted with fake Australian Post package-tracking page”, researchers from ESET security firm say; but as recently as September 2, they found that the operators behind TorrentLocker started a new campaign that focused only on victims from the UK.
 
Full Article

TorrentLocker Unlocked

 
In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author's part, as you should never use the keystream more than once.

Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact. If the size of the original file is less then 2MB and if the size is not multiple of 16 bytes, the malware program leaves a few bytes from the end of the file unencrypted (file size modulo 16 to be exact). Only encrypting 2MB from the beginning of the file has probably been a conscious decision of the malware author as it makes it faster to render more files unusable. At the same time it also makes recovering files much easier.

In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size the entire keystream can be recovered, which makes it possible to recover all your files encrypted by TorrentLocker.

The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files. If the keystream is known then the program can automatically decrypt all the files.

Full Article

By Marc-Etienne M.Léveillé posted 16 Dec 2014
 
Today, we published our research on ransomware that emerged in 2014. We have posted blog articles about this threat before, to raise awareness when we realized the criminals were targeting the United Kingdom and Spain.
Win32/Filecoder.DI, also known as TorrentLocker, encrypts its victims’ valuable documents and demands that the victims pay a ransom so that they can download the decryption software that will unlock their files. Ransomware that encrypts files (also known as Crypto-Ransomware) is not something new. Back in 1989, the infamous AIDS trojan demanded US$189 to access your computer files again. More recently, CryptoLocker gained attention from the media after massive number of victims were observed and the criminals behind the threat were identified. Bromium recently published a report comparing recent crypto-ransomware families, in which TorrentLocker is mentioned.
 
http://www.welivesecurity.com/wp-content/uploads/2014/12/charts_paid_unpaid.pngRatio of victims who paid the cybercriminals for the decryption software
 
Full Article