TorrentLocker, the ransomware malware is one kind of file encryptors that appears to use elements of CryptoLocker and CryptoWall, however the code used in this ransomware is totally different from other two ransomware families. Once it infects a computer, it encrypts the victims most important files using the Rijndael algorithm (symmetric cipher) and holds them for ransomware. The interesting part about this threat is that, since it code is unique, the ransom message notifies victims that their files have been encrypted by the “CryptoLocker virus” and the ransom page and an FAQ part just seems to appear similar the one from CryptoLocker and CryptoWall, researcher said. Once your files get encrypted, the victim is prompted with the ransom message with the decryption deadline. Then a victim has to visit specified Australian bitcoins site to purchase bitcoins for making payments to the provided Bitcoin address.
For persistence, the malware and its configuration exist in the Windows Registry in HKCU\Software\Bit Torrent Application\Configuration, hence the name TorrentLocker. The registry contains the components like ransom message, original binary, install location, autorun key and number of encrypted files.
Key Features:
TorrentLocker uses the unique code named as Rijndael algorithm for encrypting files. This is a symmetric cipher and will make use of password that is stored locally or restore from the remote attackers’ server for encrypting.
This malware looks similar to CryptoLocker and CryptoWall ransomware, but it uses the different code level and proving that it is a new type of ransomware.
The ransom malware first get connected to a command and control (C & C) server entering through secure communication and then exchange certificate prior encrypting the files.
However, experts have not yet able to configure whether the malware is sold on underground forums, but samples analyzed by iSight Partners tells that the TorrentLocker are distributed through spam messages and they seems to target users located in Australia.
The ransom payment must be paid in Bitcoin, however the amount of money that victims have to pay is displayed in Australian dollars. Additionally, the recommended bitcoin sellers are all situated in Australia.
Earlier, Cryptolocker was interrupted at the starting of summer and victims have the chance to get back their files thanks to new service released by Fox-IT and FireEye. But, researcher considers that TorrentLocker might adopt the dangerous level of CryptoLocker by spoofing its visual elements.
“It may also cause victims to assume that their files are encoded in RSA-2048, a possibly more secure encryption method than the Rijndael algorithm used to encrypt files in TorrentLocker,” said by Richard Hummel, senior technical intelligence analyst at iSight Partners.
Future Viewpoint
iSight Partners thinks that use of this malware will not grow at rapid speed because it uses the similar themes as it is used by CryptoLocker and CryptoWall. Hence the users may identify it and may ignore to make payment and will take correct measure to handle it.
Malware Behavior on Infected System (Dynamic Analysis)
At the starting execution, the malware releases a copy of itself and at the same time also inject a binary into the newly spawned copy of explorer.exe. It is essential that it should look like legitimate copy of original explorer.exe. The malware begin the duplicate process as it gets the approval on the local system avoiding modification to already running explorer.exe. The motive behind releasing the duplicate copy of itself is to avoid and make confuse to the analysts debugging the malware and not to look like that it is offering any additional features. Take a note that the binary injected into the exporer.exe was originally named as rack-core.bin, which shows some of the strings seen in the binary like “rack_install,” “rack_uninstall” and “rack_display_crypto_info.”
The malware installs a randomly named copy of itself in the %WINDOWS%/%WOW64% folder. Lastly, the malware will generate and store a copy of itself in the Windows Registry in a created folder with other configuration data for the malware to suggestion. Furthermore, the malware will generate an autorun key in the registry.
For the malware to start encrypting files, it required to have an active Internet connection. At first, the malware will reach out to a domain hardcoded into the malware likely to verify for connectivity. After then it will send data to the IP addressing hosting the domain and swap certificate information over a secure connection. If it becomes successful, the malware start encrypting files and will notify the user after it has completed with the ransom message
No comments:
Post a Comment