TorrentLocker unpicked: Crypto coding shocker defeats extortionists

Providing a secure and efficient Helpdesk

Crooks have borked the encryption behind the TorrentLocker ransomware, meaning victims can avoid paying the extortionists and unlock their data for free.

TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and organisations.

Research trio Taneli Kaivola, Patrik Nisn and Antti Nuopponen of Finnish consultancy Nixu said victims could break the ransomware if they had a plaintext backup of any of their now encrypted files.

"In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size, the entire keystream can be recovered which makes it possible to recover all your files encrypted by TorrentLocker," the trio write.

"As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file.

"We tested this with several samples of the affected files we had and realised that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author's part, as you should never use the keystream more than once."

TorrentLocker appended 264 bytes of junk data to encrypted files and only locked down the first 2Mb of the files.

The researchers suspected the 2Mb limit was a deliberate strategy to make TorrentLocker faster, which the malware's developers may not have known would also weaken its security.

The mystery 264 bytes was unique for each infection meaning the researchers could write a tool to recognise the encryption keystream and decrypt the affected files.

Read more:
TorrentLocker unpicked: Crypto coding shocker defeats extortionists