Researchers unlock TorrentLocker encryption

A team of Finnish researchers has discovered that the files encrypted by the recently unearthed TorrentLocker ransomware can be decrypted without paying the ransom – if the user has at least one of the encrypted files backed up somewhere, and that file is over 2MB in size.

Previous research established that TorrentLocker is an entirely new strain of ransomware that imitates both CryptoLocker and CryptoWall, making it obvious that the crooks behind it are trying to capitalize on the fact that these two types of malware are well known and feared.

Security experts from iSIGHT Partners have also said that, despite the crooks claiming that the malware uses RSA-2048 encryption, it in fact uses the Rijndael algorithm.

Researchers Taneli Kaivola, Patrik Nisén and Antti Nuopponen, who work for information security consultancy Nixu, have analyzed a TorrentLocker variant and have more information to share.

Crediting Trend Micro reseachers with the discovery that the TorrentLocker “encrypted files by combining a keystream to the file with exclusive or (XOR) operation,” they also unearthed that the malware does contain AES code, and SHA256 and SHA512 hash algorithms.

“Exact details on how the encryption is done still remain unknown, but it strongly appears that the encryption is done with a stream cipher that is built using AES and hash functions. The fact that the keystream consists of 16 byte blocks also supports the assumption that AES is used to produce the keystream,” they pointed out.

The malware authors’ mistake is the following: the malware uses the same keystream to encrypt all the files within the same infection.

“As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file,” they shared.

“Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact.”

They posit that the choice of only encrypting the first 2MB was made to speed up the encryption process, but this also allowed researchers to recover the keystream.

“The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files,” they concluded, and invited affected users to get in touch.

While this news is very welcome, this revelation will inevitably make TorrentLocker’s developers improve the encryption implementation scheme, so it’s a good idea – if you haven’t already – to start making regular backup of your files.