When taking the 2MB key and XOR'ing it with a different encrypted file, it was successfully decrypted.Īfter finding this out, seeing as how it is such a simple mistake, I knew I had to keep it quite and just build a public application for victims to use without disclosing how it works, as the virus creator would simply fix the issue. The zeros happen because the infection only encrypts the first 2MB of files. This produced a file with a 2MB key buffered with zero's at the bottom. I found this by taking a encrypted file and XOR'ing its bytes with the good files bytes. The virus creator of this infection used a simple (and I mean nothing else) XOR algorithm.
(I started doing this because of Cryptorbits simple encryption that I spent far to long on.)Īfter going through the list, my jaw about dropped to the floor when I hit XOR. This means testing a encrypted file for MD5, SHA-1, RC2, RC4, XOR, Bit Shift and other lower encryption schemes first. I made it a unwritten rule to myself that before trying to figure out hard encryption schemes the infection may use, to always try the easy ones quickly first. After running through my normal checks when first getting a Encryption infection sample, I started my not so normal ones. I would guess the reason behind this was to gain fear in the victim when infected as those 2 Ransomware's are uncrackable. This infection claimed to be Cryptolocker, but also used the Ransom File Format of Cryptowall. Upon running and quickly analyzing the exe, I found that it was a new Encrypting Ransomware (Whats new?). 12th 2014, a new sample was sent to me with the victim claiming it to be CryptoLocker. ** Visitors looking for just the Decrypter and not the TorrentLocker Analysis can Download and read about it at the bottom of the page or download it from Here ** We have no way of decrypting your files anymore. The easy decryption method in TorrentLocker has been fixed by the developer.
If you are from a country listed, or not listed, and have further info please feel free to shoot me a PM. TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQĪlso contains country specific information. Update 12/4/14: Dedicated guide with all known information can be found here:
0 kommentar(er)
