Researchers have revealed a way to undermine TorrentLocker, a strain of crypto ransomware that uses a different kind of encryption scheme than its predecessors, CryptoLocker or CryptoWall.
As with most crypto ransomware, TorrentLocker is distributed via spam campaigns through which the malware installs itself on the infected machine and injects a binary into a legitimate process. However, TorrentLocker's injected binary uses the Rijndael algorithm, symmetric encryption algorithm, to encrypt the files that it can locate. As a symmetric algorithm, the same key is used both to encrypt and decrypt data.
Additionally, researchers discovered that the malware program adds 264 bytes of extra data to the end of each encrypted file, and only encrypts the first 2MB of the file, leaving the rest intact. Therefore, the entire keystream can be recovered when both the original and the encrypted version of a file that is over 2MB in size are available. The takeaway: it is possible to recover all files encrypted by TorrentLocker.
Though the purpose of the extra 264 bytes isn't clear, researchers believe that it is unique for each infection, and have written a software program that automatically recognises which keystream has been used to encrypt the files. Since it is possible to know the keystream, the program can automatically decrypt all the files.
Currently TorrentLocker isn't as widespread a threat as CryptoLocker or CryptoWall, and now, given its solid unraveling, researchers don't expect to see much more of it.