A deadly ‘Ransomware’ malware is infecting BitTorrent users. A blog report published by iSIGHT Partners says that this ransomware dubbed as TorrentLocker by them is a file encryptor.  Once it infects the system, it encrypts almost all important files and folders using Rijndael algorithm (symmetric cipher).  The malware then sends a ransom message which informs the victim that that their files have been encrypted by the “CryptoLocker virus,” and the ransom page.  iSIGHT Partners also noted that the FAQ section of this malware is similar to CryptoWall malware.
iSIGHT Partners have dubbed the ransomware ‘TorrentLocker’ because its configuration resides in the Windows Registry in HKCUSoftwareBit Torrent ApplicationConfiguration.  The researchers said that they couldnt find evidence of this malware being sold on  underground forums on Tor as of today.
As of now TorrentLocker malware is being distributed via spam messages and the victims are users based in Australia. As with other ransomware, the ransom fee is to be paid in Bitcoin but the amount shown on the ransom message is in Australian Dollars. Furthermore, the recommended Bitcoin sellers are all located in Australia. Richard Hummel of iSIGHT Partners said that, “It may also cause victims to assume that their files are encoded in RSA-2048, a possibly more secure encryption method than the Rijndael algorithm used to encrypt files in TorrentLocker.”  The key pointed noticed in this malware by iSIGHT Partners are :

  1. TorrentLocker uses themes and naming from CryptoLocker and CryptoWall ransomware, but is very different at the code level and believed to be a new strain of ransomware.
  2. The malware first connects to a command and control (C&C) server over secure communications and exchanges a certificate before encrypting the malware. 
  3. The malware uses the Rijndael algorithm for file encryption. This is a symmetric cipher and will use a password either stored locally or retrieved from the remote attackers’ server for encryption.
The fact that TorrentLocker is spoofing CryptoLocker has made the researcher believe that it will be as notorious as CryptoLocker but on the other hand it may also be easy to disrupt it.  As was the case with CryptoLocker, the TorrentLocker also communicates with the command and control server before attempting to encrypt the files. So if the AV and security firms take down the command and control server, the TorrentLocker will fall apart because without communicating with the C&C server it will not encrypt the files.
Reader will remember that the CryptoLocker was killed using the same technique and researchers from FireEye and Fox-IT also launched a free service called ‘DecryptoLocker’ which helped the victims to recover their encrypted files which were encrypted by the notorious CryptoLocker.