TorrentLocker copycat CryptoFortress leads new wave of ransomware

Ransomware continues to rise in several new and old guises, including a copycat TorrentLocker, BandarChor and a spam campaign encompassing the infamous CryptoWall.

TorrentLocker copycat CryptoFortress leads new wave of ransomware
TorrentLocker copycat CryptoFortress leads new wave of ransomware

On Friday last week, French malware researcher ‘Kafeine' confirmed the existence of a new version of TorrentLocker, called CryptoFortress, which was being used in in-the-wild attacks against computer users in order to encrypt their files, forcing them to pay a ransom to get them back.

Kafeine later explained how he initially thought the malware was a rebadged version of TorrentLocker, only to later reveal that it was in fact a new strain of ransomware, CryptoFortress, which would encrypt files and ask for 1.43 Bitcoins (approximately £264) or up to £600, if paid up to 72 hours later.

Some users reported that files were encrypted using the suspicious ‘.frtrss' extension, while experts have noted the ransomware's use of AES-256 encryption in ECB (Electronic Code Book) mode and Tor to communicate back to the command and control (C&C) server.

Kafeine told SCMagazineUK.com that users should back-up, update their software and maybe even use anti-exploit technology, as exploit kits are used to distribute the ransomware.

“I would say crypto-ransomware is a polished/finished product for bad guys. It's money here and now. Cleaning the PC does not solve the issue, if you have no backup, you are screwed.”

Renaud Tabary of French company Lexsi later added in a comprehensive round-up of the new ransomware: “From the ransom page to some of its cryptographic functions, this new ransomware seems to be a fork of TorrentLocker/Teerac.a, although the features set has been slightly reduced in this new variant. Here are some key points of this new malware:

  • Offline encryption using a session-unique AES 256 key in ECB mode
  • AES key is stored encrypted locally in the ransom .html files using an embedded RSA 1024 bits public key
  • Locks files on local drives, mapped drives and network shares
  • Unlock server located in the Tor network
  • Volume shadow copies are deleted, files are encrypted on place
  • Most of the malware behaviour is configurable via the “cfg” resource"

“CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on my test network," added Lawrence Abrams, of BleepingComputer.com. "This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions."

Mark James, security specialist at ESET in the UK, told SCMagazineUK.com: “This particular piece of ransomware is very similar to the other Cryptolocker variants. It usually spreads via dodgy email attachments or hacked malware ridden websites, and once infected it will attempt to encrypt your files on local drives and network drives, as well as deleting any Volume Shadow Copies, to avoid easy recovery of the affected files. 

Page 1 of 2