Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker Ransomware Cracked and Decrypter has been made


  • Please log in to reply
357 replies to this topic

#1 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:00 PM

Posted 11 September 2014 - 02:34 AM

 
Update 12/4/14: Dedicated guide with all known information can be found here:

Added new information guide and FAQ:

TorrentLocker (fake CryptoLocker) Ransomware Information Guide and FAQ

Also contains country specific information. If you are from a country listed, or not listed, and have further info please feel free to shoot me a PM.

http://www.bleepingcomputer.com/virus-removal/torrentlocker-cryptolocker-ransomware-information#regions

 

The easy decryption method in TorrentLocker has been fixed by the developer. We have no way of decrypting your files anymore.

--
The Bleeping Computer Staff

 

** Visitors looking for just the Decrypter and not the TorrentLocker Analysis can Download and read about it at the bottom of the page or download it from Here **



 

TL_Main.png

Main Startup Window and Ransom Note



TorrentLocker Decrypted


On Aug. 12th 2014, a new sample was sent to me with the victim claiming it to be CryptoLocker. Upon running and quickly analyzing the exe, I found that it was a new Encrypting Ransomware (Whats new?). This infection claimed to be Cryptolocker, but also used the Ransom File Format of Cryptowall. I would guess the reason behind this was to gain fear in the victim when infected as those 2 Ransomware's are uncrackable. After running through my normal checks when first getting a Encryption infection sample, I started my not so normal ones. I made it a unwritten rule to myself that before trying to figure out hard encryption schemes the infection may use, to always try the easy ones quickly first. This means testing a encrypted file for MD5, SHA-1, RC2, RC4, XOR, Bit Shift and other lower encryption schemes first. (I started doing this because of Cryptorbits simple encryption that I spent far to long on.)

After going through the list, my jaw about dropped to the floor when I hit XOR. The virus creator of this infection used a simple (and I mean nothing else) XOR algorithm. I found this by taking a encrypted file and XOR'ing its bytes with the good files bytes. This produced a file with a 2MB key buffered with zero's at the bottom. The zeros happen because the infection only encrypts the first 2MB of files. When taking the 2MB key and XOR'ing it with a different encrypted file, it was successfully decrypted.






Xor Key Sample File (2MB)


After finding this out, seeing as how it is such a simple mistake, I knew I had to keep it quite and just build a public application for victims to use without disclosing how it works, as the virus creator would simply fix the issue. So for the last few weeks I have been spending time making the decryption application for the victims, but it seems that a few bloggers didn't feel the same way (Again, Whats new?)

2 days ago Digital-forensics Blog decided that after also finding out this information, to post it publicly that there was a "mistake on the malware author's part", and continued to describe in detail what those mistakes were, and also gave the virus creator some pointers! One thing they did not do though is post a way for any victims to decrypt their files after now alerting the virus creator that he made a mistake.

Since then the story has circled around and has been posted on multiple blogs, making almost certain that if the virus creator didn't know, he does by now.






TorrentLocker Details


To go into a little more detail about this infection, When ran it Inject itself into a new instance of Explorer, Query all Logical Drives, and loop through each drive encrypting each file it finds that has the below extension and adding .Encrypted to the end.

TorrentLocker Effected Extensions:





*.wb2,*.psd,*.p7c,*.p7b,*.p12,*.pfx,*.pem,*.crt,*.cer,*.der,*.pl,*.py,*.lua,*.css,*.js,*.asp,*.php,*.incpas,*.asm,*.hpp,*.h,*.cpp,*.c,*.7z,*.zip,*.rar,*.drf,*.blend,*.apj,*.3ds,*.dwg,*.sda,*.ps,*.pat,*.fxg,*.fhd,*.fh,*.dxb,*.drw,*.design,*.ddrw,*.ddoc,*.dcs,*.csl,*.csh,*.cpi,*.cgm,*.cdx,*.cdrw,*.cdr6,*.cdr5,*.cdr4,*.cdr3,*.cdr,*.awg,*.ait,*.ai,*.agd1,*.ycbcra,*.x3f,*.stx,*.st8,*.st7,*.st6,*.st5,*.st4,*.srw,*.srf,*.sr2,*.sd1,*.sd0,*.rwz,*.rwl,*.rw2,*.raw,*.raf,*.ra2,*.ptx,*.pef,*.pcd,*.orf,*.nwb,*.nrw,*.nop,*.nef,*.ndd,*.mrw,*.mos,*.mfw,*.mef,*.mdc,*.kdc,*.kc2,*.iiq,*.gry,*.grey,*.gray,*.fpx,*.fff,*.exf,*.erf,*.dng,*.dcr,*.dc2,*.crw,*.craw,*.cr2,*.cmt,*.cib,*.ce2,*.ce1,*.arw,*.3pr,*.3fr,*.mpg,*.jpeg,*.jpg,*.mdb,*.sqlitedb,*.sqlite3,*.sqlite,*.sql,*.sdf,*.sav,*.sas7bdat,*.s3db,*.rdb,*.psafe3,*.nyf,*.nx2,*.nx1,*.nsh,*.nsg,*.nsf,*.nsd,*.ns4,*.ns3,*.ns2,*.myd,*.kpdx,*.kdbx,*.idx,*.ibz,*.ibd,*.fdb,*.erbsql,*.db3,*.dbf,*.db-journal,*.db,*.cls,*.bdb,*.al,*.adb,*.backupdb,*.bik,*.backup,*.bak,*.bkp,*.moneywell,*.mmw,*.ibank,*.hbk,*.ffd,*.dgc,*.ddd,*.dac,*.cfp,*.cdf,*.bpw,*.bgt,*.acr,*.ac2,*.ab4,*.djvu,*.pdf,*.sxm,*.odf,*.std,*.sxd,*.otg,*.sti,*.sxi,*.otp,*.odg,*.odp,*.stc,*.sxc,*.ots,*.ods,*.sxg,*.stw,*.sxw,*.odm,*.oth,*.ott,*.odt,*.odb,*.csv,*.rtf,*.accdr,*.accdt,*.accde,*.accdb,*.sldm,*.sldx,*.ppsm,*.ppsx,*.ppam,*.potm,*.potx,*.pptm,*.pptx,*.pps,*.pot,*.ppt,*.xlw,*.xll,*.xlam,*.xla,*.xlsb,*.xltm,*.xltx,*.xlsm,*.xlsx,*.xlm,*.xlt,*.xls,*.xml,*.dotm,*.dotx,*.docm,*.docx,*.dot,*.doc,*.txt
The viruses Import table consists of: NTDLL.DLL, SHLWAPI.DLL, WININET.DLL, CRYPT32.DLL, MAPI32.DLL, KERNEL32.DLL, USER32.DLL, ADVAPI32.DLL, SHELL32.DLL, OLE32.DLL, and OLEAUT32.DLL. The virus actually uses an open source Lib to assist in the encryption which is named LibTom. Alot of these bloggers seem to think that the virus creator used AES or another advance encryption to generate the XOR key, and simply forgot/ignored to used the key with a advanced encryption before using XOR. Yet, the code proves otherwise. The author simply uses a 32 byte seed to generate the 2MB key stream, and its used to XOR the file. Simple as that.






TLhex.png

Example of 32 Byte Seed



File List:




C:\Windows\<Random>.exe - Duplicate infection EXE

*\DECRYPT_INSTRUCTIONS.HTML - Ransomnote (Dropped in any encrypted folder)

%ProgramData%\<Random>\<Random> - Temp file for the infection (No Extension)


Registry List:




HKCU\Software\<Random>\01000000 - Hex of infection

HKCU\Software\<Random>\02000000 - Path to infection exe

HKCU\Software\<Random>\03000000 - UID for infection

HKCU\Software\<Random>\04000000 - HTML Document in hex

HKCU\Software\<Random>\05000000 - Number of infected files


C&C List:




Https://server38.info/gate.php

Note: It is also important to mention that this infection will not infect a computer without contacting its C&C server.


TorrentLocker Decrypter



torrentunlocker.jpg




To download TorrentUnlocker, Please use the following link:

TorrentLocker De-Ransomware V1.0.5.0

Once the file has been downloaded, run the TorrentUnlocker.exe program. This will open the main window seen above, then simply follow the instructions.

If you need any help with TorrentUnlocker please message me, Nathan (DecrypterFixer)




This is V 1.0.5.0 of TorrentUnlocker De-Ransomware. This software will help you decrypt files that were effected by TorrentLocker. There is a catch though! In order to use this Decrypter, you must have a Original version of a encrypted file that is at least 2MB. Lets say I have a image on my DropBox that is untouched by the infection named "Family.jpg" that is over 2MB, and that I had a copy of it on my local computer when the infection hit. To use this app, all I would need is that "Family.jpg" and the "Family.jpg.encrypted" on my local computer.

This application requires .NET 4.0, but has it packaged inside. So if you do not have .Net 4.0, it will install it for you. Even more important is, this application relies on you to give it the correct files to make the TorrentLocker key. That means if you mess up, it messes up. So it is ALWAYS recommended to run this application on a folder with copies of your encrypted files first! Once everything is confirmed to be okay, then you may select your whole drive.

* This application also has step by step guide arrows to help you glide through decrypting your files with ease. If you ever find yourself confused on what the next step is, Simply look for the blinking arrow to continue.

A newer version will be coming soon with the following features to help victims more:
  • Resize ability
  • Support for files over 4GB
  • Auto Correct Key detection
Thanks for reading!

Edited by Grinler, 10 December 2014 - 06:02 PM.

Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


#2 limaces

limaces

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kabul
  • Local time:03:30 AM

Posted 11 September 2014 - 03:17 AM

C:\Users\Public contains files that Windows 7 installs by default, and that are encrypted by TorrentLocker.

 

They can be used to recover the key stream if you don't have anything else.



#3 AngryHan

AngryHan

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 11 September 2014 - 05:11 AM

 

2 days ago Digital-forensics Blog decided that after also finding out this information, to post it publicly that there was a "mistake on the malware author's part", and continued to describe in detail what those mistakes were, and also gave the virus creator some pointers! One thing they did not do though is post a way for any victims to decrypt their files after now alerting the virus creator that he made a mistake.
 
Since then the story has circled around and has been posted on multiple blogs, making almost certain that if they virus creator didn't know, he does by now.

 

 

Why do they do this, want to show off their knowledge? 



#4 zingo156

zingo156

  • BC Advisor
  • 3,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:00 PM

Posted 11 September 2014 - 09:26 AM

Good catch and another good write up decrypterfixer, thanks!


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:00 PM

Posted 11 September 2014 - 11:18 AM

Why do they do this, want to show off their knowledge?


It's a rush to get the most recognition and page views.

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,419 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:00 PM

Posted 11 September 2014 - 04:54 PM

The decrypter posted by limaces has been hidden until the file can be verified. As far as I am concerned, I would never trust a decrypter being hosted on Mega.

#7 acholden

acholden

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:00 AM

Posted 12 September 2014 - 08:30 PM

Hi decrypterfixer, thanks so much for posting this - I fell victim to this a couple of days and am using your instructions to untangle the mess.  Photos and pdfs are working perfectly

 

However I'm finding it doesn't work too well with MS Office files such as word and excel.  When I try to open them up after running your program, the message says the file is corrupt and then I have to go through a couple of dialog boxes before it finally opens up the document but as a new document rather than the decrypted one.

 

Any thoughts?



#8 rokbi1102

rokbi1102

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 13 September 2014 - 12:42 AM

good day decrypterfixer i have been infected by cryptowall but i dont have any backup and good files that are infected and also the that are infected on my pc are not .infected they are all .pdf .jpg so when i use your decryter it cannot detect my files.

 

Please help me sir decrypterfixer.

 

Thanks



#9 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:00 PM

Posted 13 September 2014 - 11:52 AM

Hi decrypterfixer, thanks so much for posting this - I fell victim to this a couple of days and am using your instructions to untangle the mess.  Photos and pdfs are working perfectly

 

However I'm finding it doesn't work too well with MS Office files such as word and excel.  When I try to open them up after running your program, the message says the file is corrupt and then I have to go through a couple of dialog boxes before it finally opens up the document but as a new document rather than the decrypted one.

 

Any thoughts?

 

Yes, The virus creator of this infection was extremely lazy and when XOR'ing, messed up a few bytes (anywhere from 4-8) at the end of files that are less than 2mb. Even if you would have boughten the decrypter from the virus creator this would be an issue sadly. But, if you open the newly decrypted file in a hexeditor, and the old encrypted file, sometimes you can recover these bytes.

 

If you want i can take a look at  a few for you.


Have you performed a routine backup today?

#10 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:00 PM

Posted 13 September 2014 - 12:13 PM

good day decrypterfixer i have been infected by cryptowall but i dont have any backup and good files that are infected and also the that are infected on my pc are not .infected they are all .pdf .jpg so when i use your decryter it cannot detect my files.

 

Please help me sir decrypterfixer.

 

Thanks

 

You will need a encrypted file and original version of it that is at least 2MB. If you are having troubles looking for a encrypted file, please use the search feature in windows to search for .encrypted, when you do simply order them by size to see what the largest encrypted file you have is.


Have you performed a routine backup today?

#11 rokbi1102

rokbi1102

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 14 September 2014 - 01:52 AM

thanks for the reply sir. unfortunately sir all my files are being encrypted but all extension are the same. I try it already to search the .encrypted but i didn't found a single file.  



#12 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:00 PM

Posted 14 September 2014 - 02:02 AM

sorry to say then, but you have cryptowall, and this fix won't work.


Have you performed a routine backup today?

#13 rokbi1102

rokbi1102

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 14 September 2014 - 03:46 AM

Is there any way that i can do to retrieve my files? 



#14 patandmick

patandmick

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:00 AM

Posted 16 September 2014 - 12:30 AM

Thanks Decryptorfixer. Worked a treat.

 

Donation of $25 USD sent in appreciation of your tireless efforts. Wish i could afford more . . . 



#15 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:00 PM

Posted 16 September 2014 - 12:36 AM

I'm very glad the application worked for you :), and thank you for the donation!


Have you performed a routine backup today?




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users