Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TorrentLocker now uses stronger encryption due to tips from security researchers


  • Please log in to reply
20 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,071 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 17 September 2014 - 10:40 AM

When you tell a programmer, even a malware developer, what is wrong with their program it makes sense that they are going to fix it. Unfortunately, it seems that the malware devs behind the TorrentLocker ransomware were listening because as of yesterday they started using a new encryption method. Yesterday, reports have started trickling into our forums about people who were infected with the latest version of TorrentLocker and were unable to use Nathan Scott's TorrentLocker decryption tool to decrypt their files. After Nathan, aka decrypterfixer, examined a recent sample, it appears that the malware developer has changed the encryption method being used from an easily decrypted XOR routine to an unbreakable one that now includes AES.

 

torrentlocker-v2.jpg



To all malware researchers, if you analyze a malware sample and find a flaw in the program that is going to help victims recover their files, please shut the hell up. Yes, I get it. You want the publicity and you want the page impressions, but in reality all of the press and publicity are simply hurting the people you are trying to protect. Instead, you could have easily gotten the attention you wanted by releasing a decryption program or helping people behind the scenes until the malware developer figured out what was wrong by themselves. By publicly releasing the information and giving tips on how the malware developer should properly code their ransomware, you are guaranteeing that they will fix their coding flaws and release a more dangerous program.

This has obviously been shown with TorrentLocker where three researchers recently disclosed in a blog post the flaws in the TorrentLocker encryption method. In fact they went so far as to actually give tips on how to make the encryption more secure. What happened after this blog post? The devs put out a new variant that uses a stronger encryption method and makes it so we can't help people recover their files for free. This same issue also happened with the CryptoDefense ransomware. Fabian Wosar, a security researcher of Emsisoft, had discovered a flaw in the ransomware where the private encryption keys were being left behind on the victim's computers. He was then privately helping CryptoDefense victims through email at his company and via private messages on various forums, including BleepingComputer.com. That was until Symantec decided to blog about this flaw and thus alerted the malware developer of his mistake. What happened next? A new variant of CryptoDefense was released with the flaw fixed.

In summary, if you are a security researcher and discover a flaw that may help people recover their items for free; please do not immediately disclose the details. Instead try to help people as long as you can with a decryption tool and only disclose when the authors figures out the flaw themselves. By disclosing the information too soon, you are benefiting yourself at the expense of the victims.


BC AdBot (Login to Remove)

 


#2 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:43 AM

Posted 17 September 2014 - 10:48 AM

This article is spot on. No one can sugar coat the issue any longer. How are we suppose to help the victims of this infection if we are battling the Authors of the Malware and every other Malware researcher too. 

 

Malware Analyst's are dropping the ball here, and at the expense of victims.


Edited by decrypterfixer, 17 September 2014 - 10:51 AM.

Have you performed a routine backup today?

#3 computerxpds

computerxpds

    Bleepin' Comp


  • Moderator
  • 4,407 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 17 September 2014 - 11:11 AM

What ever happened to the people that used to do things because it was fun or it helped people and not themselves? I give immense credit to all of the users here that help people keep their machines secure for free, its a shame others must go out and ruin it for the rest of us by hindering the progress of the helpers here.

sigcomp.png 
If I have replied to a topic and you reply and I haven't gotten back to you within 48 hours (2 days) then send me a P.M.
Some important links: BC Forum Rules | Misplaced Malware Logs | BC Tutorials | BC Downloads |
Follow BleepingComputer on: Facebook! | Twitter! | Google+| Come join us on the BleepingComputer Live Chat too! |


#4 Emphyrio

Emphyrio

    Security Colleague


  • Security Colleague
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:43 AM

Posted 17 September 2014 - 11:43 AM

Hoi Grinler,

 

To all malware researchers, if you analyze a malware sample and find a flaw in the program that is going to help victims recover their files, please shut the hell up. Yes, I get it. You want the publicity and you want the page impressions, but in reality all of the press and publicity are simply hurting the people you are trying to protect. Instead, you could have easily gotten the attention you wanted by releasing a decryption program or helping people behind the scenes until the malware developer figured out what was wrong by themselves. By publicly releasing the information and giving tips on how the malware developer should properly code their ransomware, you are guaranteeing that they will fix their coding flaws and release a more dangerous program.

 

You mean don't publish something like this: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

It!s even on Bleeping Computer FB too :(

 

I prefer malware research beeing kept in "hidden" fora  ;)  :)


Edited by Emphyrio, 17 September 2014 - 11:47 AM.

Emphyrio

Malware Research Engineer

 

staff.png

 

ASAP & Unite Member   *   E Dev 

 

 


#5 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:43 AM

Posted 17 September 2014 - 11:46 AM

Hoi Grinler,

 

To all malware researchers, if you analyze a malware sample and find a flaw in the program that is going to help victims recover their files, please shut the hell up. Yes, I get it. You want the publicity and you want the page impressions, but in reality all of the press and publicity are simply hurting the people you are trying to protect. Instead, you could have easily gotten the attention you wanted by releasing a decryption program or helping people behind the scenes until the malware developer figured out what was wrong by themselves. By publicly releasing the information and giving tips on how the malware developer should properly code their ransomware, you are guaranteeing that they will fix their coding flaws and release a more dangerous program.

 

You mean don't publish something like this: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

 

I prefer malware research beeing kept in "hidden" fora  ;)  :)

 

 

Na, Thats not what Lawrence means. This was a write up i collaborated with Lawrence on to release because i had been working on a decrypter for all victims of torrentlocker for a few days, and then other researches (In the above article) released all the information, and even gave them tips. Thus, i released all my compiled information, and even a tool to decrypt the files for free.

 

Did you read my article before you linked to it? 


Have you performed a routine backup today?

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,071 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 17 September 2014 - 11:51 AM

You mean don't publish something like this: http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/
It!s even on Bleeping Computer FB too :(
 
I prefer malware research beeing kept in "hidden" fora  ;)  :)


As Nathan already stated, we only released that info because it was already publicly posted and all over the press.

#7 Emphyrio

Emphyrio

    Security Colleague


  • Security Colleague
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:43 AM

Posted 17 September 2014 - 12:03 PM

Ofcourse I read your article, Nathan :)

 

I meant especially this quote:
 

After going through the list, my jaw about dropped to the floor when I hit XOR.

The virus creator of this infection used a simple (and I mean nothing else) XOR algorithm.

 

 

(I was even surprise myself the mask was that simple)

 

Still its a damn shame, if I may say so, that "they" didn't kept their mouth shut.
This malware and all his variants are a pain in the ass


Edited by Emphyrio, 17 September 2014 - 12:03 PM.

Emphyrio

Malware Research Engineer

 

staff.png

 

ASAP & Unite Member   *   E Dev 

 

 


#8 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:43 AM

Posted 17 September 2014 - 12:10 PM

Ofcourse I read your article, Nathan :)

 

I meant especially this quote:
 

After going through the list, my jaw about dropped to the floor when I hit XOR.

The virus creator of this infection used a simple (and I mean nothing else) XOR algorithm.

 

 

(I was even surprise myself the mask was that simple)

 

Still its a damn shame, if I may say so, that "they" didn't kept their mouth shut.
This malware and all his variants are a pain in the ass

 

At the point of me writing the article, the damage had already been done. So with the release of the decrypter, i pointed out a few things that other bloggers got wrong, and other things that happened during the course of a analysis. As i have said before, If other bloggers didnt release all information and even tips, then the only thing that would have been on that page is a decrypter and "Enjoy". But sadly, that never happens because other sites always want that first shot.

 

It is a shame, Because now new victims of this infection and stuck, all for one little article that wont matter in a week. Im doing a deep analysis of V2 of Torrentlocker now. Last week i reversed 4 different encryption infections. 4 new ones in a week! These things absolutely are a pain in the ass, but what is worse is that every time i reverse something and i find a fix for it, i have to wonder if i should even make an app because by the time im finished some blogger will ruin it.

 

As i said previously, Not only am i fighting Ransomware and its creators, Im fighting other Malware Analysts.


Have you performed a routine backup today?

#9 Emphyrio

Emphyrio

    Security Colleague


  • Security Colleague
  • 110 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:43 AM

Posted 17 September 2014 - 12:14 PM

I respect your hard work, Nathan and I hope you keep on fighting the "bad" guys.

 

Patrick :)


Emphyrio

Malware Research Engineer

 

staff.png

 

ASAP & Unite Member   *   E Dev 

 

 


#10 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:43 AM

Posted 17 September 2014 - 12:15 PM

Much obliged Patrick. This community is a rare one, and im happy to be a part of it.


Have you performed a routine backup today?

#11 malwareanalyzr

malwareanalyzr

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 17 September 2014 - 04:13 PM

http://www.isightpartners.com/2014/09/torrentlocker-new-variant-observed-wild/



#12 IllusionEclipse

IllusionEclipse

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chillin in my Compspace
  • Local time:06:43 PM

Posted 17 September 2014 - 10:07 PM

Ugh, I'm about ready to throw my iphone across the room in annoyance... It really boggles me that people don't choose the common sense route and keep it private enough that it doesn't get leaked to the malware writer.

It's the equivalent to placing a 20m large flashing neon sign saying "hey dipstick! You forgot to close the gap!" -.-

An illusion is as real as the person who sees it, but wouldn't that be an illusion in and of itself?


#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,071 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:43 AM

Posted 19 September 2014 - 11:14 AM

We have created a dedicated thread for TorrentLocker support and discussion here:

TorrentLocker Support and Discussion Thread (CryptoLocker copycat)

#14 svenskenr

svenskenr

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern PA, USA
  • Local time:04:43 AM

Posted 20 September 2014 - 08:14 PM

As the French say, "Plus ca change, plus c'est la meme chose." Or, as King Solomon said in Proverbs, "there is nothing new under the sun."

 

I was recently reading Solzhenitsyn's historical novel, "August 1914," (part of "The Red Wheel"). He tells how the Imperial (pre-Soviet) Russian Army so poorly understood radio - newly introduced to the battlefield - that they were making uncoded transmissions of strategic orders. When Solzhenitsyn's main character, a colonel named Vorotyntsev, who is traveling around the front lines investigating military (in)effectiveness, calls them on it, the radio officers say, "But the Germans can't really be listening all the time, can they?" [This probably actually happened, because the novel ends with a hearing by the General Staff and a reference to Vorotyntsev's having written a full report of his investigations.]

 

I assume your reaction is much like mine - "...especially the Germans??..."

 

No further explanation needed, I hope.



#15 HeeHaw5130

HeeHaw5130

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 25 September 2014 - 02:11 AM

"Never correct your enemy when he is making a mistake."  -Napoleon Bonaparte






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users