Guest submission by Taneli Kaivola, Patrik Nisén and Antti Nuopponen of NIXU
TorrentLocker is a new breed of ransomware that has been spreading lately. Like CryptoLocker and CryptoWall it encrypts files on a victim's machine and then demands ransom. The victim has to pay to get the decryption software that can decrypt the files.
On a recent incident response case we came across a malware program that had all the known characteristics of TorrentLocker. We started to analyze the malware to see if there was a way to get the files decrypted without paying the ransom. It is well known that some ransomwares like CryptoLocker do implement proper encryption and that it is not possible to recover the encrypted files, but on the other hand, there are also several examples of malware that fail to do solid encryption. For example, security researcher Fakebit (fakebit.com) discovered a CryptoLocker variant that claimed to use 2048-bit RSA but was instead using Tiny Encryption Algorithm (TEA). It seems that malware authors are trying to benefit from CryptoLocker's reputation and make people pay the ransom even if their malware is not actually implementing strong encryption.
Analysis of TorrentLocker done by iSight partners suggested that TorrentLocker uses Rijendael algorithm to encrypt files that it can locate. Rijendael is a symmetric encryption algorithm that is best known for its use in advanced encryption standard (AES). As the algorithm is a symmetric one, the same key is used both to encrypt and decrypt data. Because the malware program needs to have the key in the infected machine at some point of time to be able to encrypt the files, recovering the key from the infected machine could be possible, at least in theory.
At this point it is unclear whether the variant of TorrentLocker we analyzed is the same one that iSight analyzed, but it did contain all the characteristics that iSight partners reported. During our investigation we got help from Trend Micro (http://blog.trendmicro.com/trendlabs-security-intelligence/) who provided the initial analysis of TorrentLocker to us. They were able to locate the actual encryption routine from the malware program, and surprisingly it was not Rijendael or AES. According to them, it encrypted files by combining a keystream to the file with exclusive or (XOR) operation. This is the final step used in many stream ciphers. Our further analysis of the malware revealed that it did contain AES code, as well as SHA256 and SHA512 hash algorithms. Exact details on how the encryption is done still remain unknown, but it strongly appears that the encryption is done with a stream cipher that is built using AES and hash functions. The fact that the keystream consists of 16 byte blocks also supports the assumption that AES is used to produce the keystream.
Stream ciphers can be strong, but there are some fundamental issues that must be avoided in order to keep the encryption cryptographically secure. One of the most important things is not to use the keystream more than once.
In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author's part, as you should never use the keystream more than once.
Further analysis of the encrypted files also revealed that the malware program added 264 bytes of extra data to the end of each encrypted file, and that it only encrypts the first 2MB of the file, leaving the rest intact. If the size of the original file is less then 2MB and if the size is not multiple of 16 bytes, the malware program leaves a few bytes from the end of the file unencrypted (file size modulo 16 to be exact). Only encrypting 2MB from the beginning of the file has probably been a conscious decision of the malware author as it makes it faster to render more files unusable. At the same time it also makes recovering files much easier.
In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size the entire keystream can be recovered, which makes it possible to recover all your files encrypted by TorrentLocker.
The exact purpose of the extra 264 bytes that the malware program adds at the end of each file is still unknown, but it seems to be unique for each infection. As it is unique, it allowed us to write a software program that automatically recognizes which keystream has been used to encrypt the files. If the keystream is known then the program can automatically decrypt all the files.
For more information regarding TorrentLocker decryption, please contact the team at NIXU.
Taneli Kaivola, Patrik Nisén and Antti Nuopponen, Nixu Oy