TorrentLocker - a wide spread ransomware has been cracked by Finnish Security Researchers. CryptoLocker and CryptoWall encrypts files on a victim’s machine and then demands ransom. The victim has to pay to get the decryption software that can decrypt the files.
TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and organisations.
Research trio Taneli Kaivola, Patrik Nisén and Antti Nuopponen of Finnish consultancy Nixu Watson said victims could break the ransomware if they had a plaintext backup of any of their now encrypted files.
The researchers explain how TorrentLocker uses XOR to encrypt the files. XOR is a very simple operation between two sequences of bits; the output of the operation is a sequence that denotes whether the two input bits differ. If they do, the output bit is 1, otherwise it is 0.
In the case of a file A, seen as a series of bits, TorrentLocker uses a keystream K to produce the output A ⊕ K and uses this as the encrypted file, while the original file is discarded. If the keystream K is pseudo-randomly generated, the ‘adversary’ (in this case someone trying to retrieve the files) has no way of getting the content of the file A.
XOR is a very simple and fast operation, which has the nice property that ( A ⊕ K ) ⊕ K = A, so that decryption is easy for someone who possesses the keystream K.
“In practice this means that if you have both the original and the encrypted version of a single file that is over 2MB in size, the entire keystream can be recovered which makes it possible to recover all your files encrypted by TorrentLocker,”
Via - Sans Digital Forensics Blog