Update 3/7/15: It appears that this is just a copycat and not a new version of TorrentLocker. According to a researcher at ESET, the devs behind CryptoFortress just stole the HTML and site layout. See this tweet: https://twitter.com/marc_etienne_/status/573842470691344384
A new encrypting ransomware called CryptoFortress was discovered yesterday by security researcher Kafeine that appears to be either a copycat or a new version of TorrentLocker. When looking at the ransom note and decryption site for both CryptoFortress and TorrentLocker the differences between the two appear to be small. On further inspection, though, we have discovered that CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter.
Normally when a ransomware encrypts your data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them. Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network SMB shares and encrypt any that are found. As you can see from the image below, CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on my test network. This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions.
When CryptoFortress runs it will encrypt your data using RSA encryption and add the .frtrss extension to the end of the encrypted file. In every folder that a file is encrypted, it will also create a ransom note called READ IF YOU WANT YOUR FILES BACK.html. This note, which is shown above, contains links to a TOR Command & Control server where you can find your ransom amount, which is currently 1 bitcoin, and the address it should be sent to. Last, but not least, CryptoFortress will issue the following command to delete all Shadow Volume Copies so you are unable to restore your files from them:
vssadmin delete shadows /all /quiet
Without a doubt, encrypting non-mapped network shares makes it a big problem for network administrators. It is now a requirement for backup strategies to use drive rotation rather than rely on persistent attached storage or network shares as your backup medium. This makes cloud backups even a more attractive option as a safe and secure method of backing up your data without being affected by ransomware.
Thanks to Nathan Scott for helping to analyze this infection. You can also find more information about this infection from the analysis by White Hat Mike.