Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New CryptoTorLocker2015 Ransomware discovered and easily decrypted


  • Please log in to reply
39 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,007 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:36 PM

Posted 29 January 2015 - 04:11 PM

As ransomware infections continue to evolve with more sophisticated technology and payment systems, today we introduce a new one called CryptoTorLocker2015 that throws all of these advances out the window. A member recently posted about CryptoTorLocker 2015 on our forums and I was able to track down a sample of the installer. Once installed, I could only stare at its barely intelligible ransom note, patched together wallpaper image, static payment address, and easily defeated XOR encryption. Unfortunately, people have paid the ransom from this infection, which means ransomware doesn't have to look pretty to make money.

It is unsure how CryptoTorLocker 2015 is installed on a system, but once installed it will scan your computer and infect any data files and shortcuts that it finds. As it encrypts each file, it will append .CryptoTorLocker2015! to the end of each filename. So a file called invoice.doc would become invoice.doc.CryptoTorLocker2015!. It will also create a ransom note called HOW TO DECRYPT FILES.txt in each directory it encounters. The text of the ransom note is below. Please note that this ransom note was actually written this way.
 
Your important files strong encryption RSA-2048 produces on this computer:Photos,Videos,documents,usb disks etc.Here is a complete list of encrypted files,and you can personally verify this.CryptoTorLocker2015! which is allow to decrypt and return control to all your encrypted files.To get the key to decrypt files you have to pay 0.5 Bitcoin 100$ USD/EUR.
Just after payment specify the Bitcoin Address.Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive activation,Purchasing Bitcoins,Here our Recommendations 1. Localbitcoins.com This is fantastic service,Coinbase.com Exchange,CoinJar =Based in Australia,We Wait In Our Wallet Your Transaction
WE GIVE YOU DETAILS! Contact ME if you need help My Email = information@jupimail.com AFTER YOU MAKE PAYMENT BITCOIN YOUR COMPUTER AUTOMATIC DECRYPT PROCEDURE START! YOU MUST PAY Send 0.5 BTC To Bitcoin Address: 1KpP1YGGxPHKTLgET82JBngcsBuifp3noW
When it has finished encrypting your data it will then change your wallpaper to a patchwork of images copied from other ransomware infections. If anything, it may be worth paying the ransom so you do not have to look at this wallpaper anymore.
 

wallpaper.jpg


Finally, the infection will display another alert about your files being encrypted and then displays a password prompt. Supposedly if you paid the ransom, the developer would send you a password, which you would enter to decrypt your files.
 

password-prompt.jpg


The fact that there was no discernable network traffic when it was installed indicated that the decryption key was built into the executable itself or stored somewhere on the computer. Also a password prompt hinted that it may be possible to patch the executable to make it think that any password entered was the correct one in order to begin the decryption process. When security researcher Nathan Scott looked at the executable, he confirmed that you could simply bypass the password to begin decrypting, but even better it was using XOR encryption. Once this was discovered he was able to quickly find the XOR key and whip up a decrypter for anyone who was affected.

With that said, for those who are infected with CryptoTorLocker2015, you can easily decrypt your files by downloading and running Nathan Scott's decrypter. It should be noted that some anti-virus programs are detecting this infection based on its CryptoTorLocker2015 name and as that same string is used in the decrypter, some AV programs may detect it as malicious. This is a false positive, but if you are concerned about the safety of the decryption tool, you can always copy your encrypted data to a virtual machine and run the decrypter from there.

The decrypter can be downloaded from this link: http://ransomwareanalysis.com/CT2015_Decrypter.zip

Once you start the decrypter, select a folder to scan and any encrypted files will be decrypted. When using the tool, it is suggested that you select the root of the drive such as C:\ and let the decrypter recursively scan your entire drive. If you are finding that some files, most likely shortcuts, are not properly being decrypted, you should run the program with Administrator privileges.
 

decrypter.jpg


As always, if you have any questions, please feel free to post them here.



Known CryptoTorLocker2015 Ransomware Files:
 
%Temp%\HOW TO DECRYPT FILES.txt
%Temp%\<random>.bmp
%Temp%\<random>.exe
Known CryptoTorLocker2015 Ransomware Registry keys:



HKLM\SOFTWARE\Classes\.CryptoTorLocker2015!
HKLM\SOFTWARE\Classes\.CryptoTorLocker2015!\@	= "PRPASCBHJSZLMOM"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\@	= "CRYPTED!"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\@ = "%Temp%\<random>.exe,0"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\@ = "%Temp%\<random>.exe"
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter	= "%Temp%\<random>.exe"
HKCU\Control Panel\Desktop\Wallpaper = "%Temp%\<random>.bmp"
Host File Modifications:



93.189.44.187 dmidybmfxsaq.biz
93.189.44.187 aacthvhqbhbg.org
93.189.44.187 arlsolqovltp.co.uk
93.189.44.187 fyhatdpptohp.org
93.189.44.187 weotnaktbwgr.ru
93.189.44.187 ovenbdjnihhdlb.net


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Malware Study Hall Senior
  • 5,604 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:36 PM

Posted 29 January 2015 - 04:25 PM

Thanks to Grinler for the info, and kudos to Nathan for the decrypter :)
Member of the Bleeping Computer A.I.I. early response team!

#3 GT500

GT500

    Authorized Emsisoft Representative


  • Security Colleague
  • 122 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Fortville, Indiana, USA
  • Local time:01:36 PM

Posted 29 January 2015 - 07:35 PM

Thanks for the info Lawrence. :wink:

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#4 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 PM

Posted 29 January 2015 - 11:12 PM

Hopefully now people will search and decrypt their files before paying.


Have you performed a routine backup today?

#5 Abhishekgg

Abhishekgg

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 31 January 2015 - 01:57 AM

Dear Lawrence

We tried this decryptor, but when we ran this, our hard disk got corrupted and now nothing is opening. When we are starting our computer we are getting following message

 

“Disk Error read occurred

Press Ctrl+Alt+Del to restart”



#6 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 PM

Posted 31 January 2015 - 10:31 AM

The decryption application post is a quite simple application, and in no way could corrupt a hard drive. Perhaps your system has been unstable, but the decrypter wouldn't be the cause of it.


Have you performed a routine backup today?

#7 UMGCOMPUTER

UMGCOMPUTER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 31 January 2015 - 03:52 PM

I Hope I Never Get It!



#8 billyjack1203

billyjack1203

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 31 January 2015 - 10:39 PM

Nathan is the man today for helping me get rid of the crypto locker on files in my network. 



#9 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:36 PM

Posted 31 January 2015 - 11:56 PM

glad it worked for u billy


Have you performed a routine backup today?

#10 Billy_Parts

Billy_Parts

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2015 - 04:51 PM

1)  What keeps someone from copying this malware, changing the BitCoin address and simply not decrypting the data?

 

2)  What prevented the author or the software from using a stronger encryption algorithm.  It's just a matter of time before the only way to get the data back is by paying.  What kept the malware from having unbreakable encryption?



#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,007 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:36 PM

Posted 03 February 2015 - 05:03 PM

1)  What keeps someone from copying this malware, changing the BitCoin address and simply not decrypting the data?


Good question. These people look at it as a business, no matter how illegal it is. They know that if they screw one person over, this will become known and noone will pay the ransom again. They are here to make money.

2)  What prevented the author or the software from using a stronger encryption algorithm.  It's just a matter of time before the only way to get the data back is by paying.  What kept the malware from having unbreakable encryption?


Infrastructure costs and technical experience. Many of these ransomware programs are kits sold by a developer and require little or no technical or programming knowledge. The harder encryptions that use a public and private key pair require more advanced infrastructure and payment systems.

#12 PCBIZZ

PCBIZZ

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:MidWest
  • Local time:12:36 PM

Posted 06 February 2015 - 08:33 AM

When attempting to download from http://ransomwareanalysis.com/CT2015_Decrypter.zip , Windows Defender pops-up stating it is taking action to clean detected malware?  Idea’s??



#13 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,007 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:36 PM

Posted 06 February 2015 - 10:17 AM

Its a false positive. From the first post:

. It should be noted that some anti-virus programs are detecting this infection based on its CryptoTorLocker2015 name and as that same string is used in the decrypter, some AV programs may detect it as malicious.



#14 Abhishekgg

Abhishekgg

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:06 PM

Posted 06 February 2015 - 11:41 AM

Thanks Nathan, at last it worked. We were able to recover our data with help of this encryptor. Thanks a lot for your support. Our hard disk actually got crashed due to bad sectors and wasnt because of this encryptor.



#15 sydney1

sydney1

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:36 AM

Posted 11 February 2015 - 08:05 PM

I tried it and its not working. any other suggestions.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users