TorrentLocker copycat CryptoFortress leads new wave of ransomware

News by Doug Drinkwater

Ransomware continues to rise in several new and old guises, including a copycat TorrentLocker, BandarChor and a spam campaign encompassing the infamous CryptoWall.

On Friday last week, French malware researcher ‘Kafeine' confirmed the existence of a new version of TorrentLocker, called CryptoFortress, which was being used in in-the-wild attacks against computer users in order to encrypt their files, forcing them to pay a ransom to get them back.

Kafeine later explained how he initially thought the malware was a rebadged version of TorrentLocker, only to later reveal that it was in fact a new strain of ransomware, CryptoFortress, which would encrypt files and ask for 1.43 Bitcoins (approximately £264) or up to £600, if paid up to 72 hours later.

Some users reported that files were encrypted using the suspicious ‘.frtrss' extension, while experts have noted the ransomware's use of AES-256 encryption in ECB (Electronic Code Book) mode and Tor to communicate back to the command and control (C&C) server.

Kafeine told that users should back-up, update their software and maybe even use anti-exploit technology, as exploit kits are used to distribute the ransomware.

“I would say crypto-ransomware is a polished/finished product for bad guys. It's money here and now. Cleaning the PC does not solve the issue, if you have no backup, you are screwed.”

Renaud Tabary of French company Lexsi later added in a comprehensive round-up of the new ransomware: “From the ransom page to some of its cryptographic functions, this new ransomware seems to be a fork of TorrentLocker/Teerac.a, although the features set has been slightly reduced in this new variant. Here are some key points of this new malware:

  • Offline encryption using a session-unique AES 256 key in ECB mode
  • AES key is stored encrypted locally in the ransom .html files using an embedded RSA 1024 bits public key
  • Locks files on local drives, mapped drives and network shares
  • Unlock server located in the Tor network
  • Volume shadow copies are deleted, files are encrypted on place
  • Most of the malware behaviour is configurable via the “cfg” resource"

“CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on my test network," added Lawrence Abrams, of "This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions."

Mark James, security specialist at ESET in the UK, told “This particular piece of ransomware is very similar to the other Cryptolocker variants. It usually spreads via dodgy email attachments or hacked malware ridden websites, and once infected it will attempt to encrypt your files on local drives and network drives, as well as deleting any Volume Shadow Copies, to avoid easy recovery of the affected files. 

“It uses a 2048 bit RSA-AES encryption routine, that kind of encryption will take around 6.4 quadrillion years on a single standard desktop computer to decrypt. Once it has all your files it will then give you options on purchasing the decryption routines using the Bitcoin currency. It uses the Tor network to communicate back to its command and control servers to remain as anonymous as possible, your options available will be firstly to restore from backup. 

"If you don't have backups then you have to make the choice if you are going to get your data back or accept the fact it is lost. Ideally paying these crooks more money to infect more machines should not be an option considered.”

Carl Leonard, principal security analyst at Websense, added that his firm spotted CryptoFortress attacks in Australia last month.  

“Looking at the dontneedcoffee blog, this looks like it's the same identity as Websense's Security Labs found in February in Australia (more info here). The new branding of “CryptoFortress” may be new, but everything else looks the same.

“This looks very bad – unfortunately, once your files are encrypted you might as well consider them lost…The most important thing here is to protect yourself from the incoming lure. It's vital to ensure that you backup files regularly and store them on a separate environment off the network – if ransomware gets in it won't be able to encrypt those.”

He added: “The general state of ransomware is that it's still prevalent, it's still causing damage and – most worryingly – it's still evolving and will continue to evolve as we progress through 2015. Once a machine has become infected and files encrypted there is little that an end user can do to counter it.

“To strengthen your overall security posture we recommend that businesses raise awareness within their employee base of the dangers and signs of ransomware, and adopt suitable technologies to identify and protect from the threat in the early stages of the threat lifecycle.”

Last week was busy for security companies investigating ransomware variants; Bitdefender warned of a spam wave hitting thousands of mailboxes with .chm attachments to spread CryptoWall, while F-Secure spotted growing reports on BandarChor.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews