back to article TorrentLocker unpicked: Crypto coding shocker defeats extortionists

Crooks have borked the encryption behind the TorrentLocker ransomware, meaning victims can avoid paying the extortionists and unlock their data for free. TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and …

  1. h4rm0ny

    I'm conflicted

    On the one hand, this is pragmatically good. On the other, I hate seeing bad encryption implementations.

    1. Paul Crawford Silver badge

      Re: I'm conflicted

      Are you sure your not in XKCD land?

      1. Adam 1

        Re: I'm conflicted

        Pretty sure he is in Oatmeal land actually.

      2. h4rm0ny
        Headmaster

        Re: I'm conflicted

        >>Are you sure your not in XKCD land?

        "you're".

        I refuse to be mocked by people with weak grammar.

        1. wdmot

          Re: I'm conflicted

          No matter how hard I try, I can't help but re-read the sentence/question from my point of view. Thus, AC's question would become "Am I sure my not in XKCD land?" which makes no sense.

          Or the object's point of view: "your" becomes "his" or "her" depending on whether h4rm0ny is male or female ;-)

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm conflicted

      If you already have a backup of the data then why bother trying to decrypt stuff, just wipe and put the backup in place??

      1. h4rm0ny

        Re: I'm conflicted

        >>"If you already have a backup of the data then why bother trying to decrypt stuff, just wipe and put the backup in place??"

        Riding the early posts so your reply appears sooner? *tsk tsk*. Anyway, there is an answer to this. The point about the backups is that you only need part of the encrypted data in unencrypted form to unlock the rest of it. So if they encrypt directory "AllMyImportantStuff" but you have a spare copy of "mytaxsubmissions.csv" from that directory, you can use that snippet of overlap to crack the whole thing and get everything back.

        So yes, if you have everything backed up, you can just delete the encrypted version. But if you don't, you get to pull one over on the Black Hats for once. ;)

      2. Adam 1

        Re: I'm conflicted

        >If you already have a backup of the data then why bother ...

        IF you have a recent up to date backup, fair question. Many people don't. What they probably have sitting on an iPod somewhere is one of the MP3s from their music folder. The article suggests that as little as 2MB was enough to calculate the XOR key, or in layman's terms, a single song is enough to recover all their data.

        1. Old Handle
          Thumb Up

          Re: I'm conflicted

          I just looked at a list of file types it goes after, and mp3 doesn't seem to be on the list, but zip, rar and 7z are. So if you've happened to download something in one of those formats and left the packed file sitting around you could simply download it again to get your cleartext. Or maybe you emailed a big docx to someone recently. Chances are you can retrieve it from your mail server, or failing that ask the recipient to mail it back.

          It does target a wide variety of files so I'd bet that the vast majority of people do have something on their disks in one of those formats which is duplicated elsewhere, even without making an intentional backup.

  2. Daniel Snowden

    Only half the solution

    The first step is to crack the ransomware. The second step is to crack whoever wrote it.

  3. John Smith 19 Gold badge
    Unhappy

    No doubt the authors will issue an update shortly.

    Or hopefully not.

    1. dist

      Re: No doubt the authors will issue an update shortly.

      CryptoLocker was much worse. Sure, there will be more advanced malware in the future too. I only hope that we could help those who got affected by this particular malware.

  4. phuzz Silver badge
    Devil

    Even lazier

    I had to clean some malware off a clients computer yesterday which had dumped text, html, and .lnk files across many directories claiming to have encrypted all of the files, and offering a website through which you could pay a ransom.

    Thing is, we couldn't find *any* files which were encrypted. It looks like the whole plan was just to scare people into paying the ransom without even checking their files.

    1. Anonymous Coward
      Anonymous Coward

      Re: Even lazier

      That's a bit like Irish virus of a couple of years back, but that was at least clearly a joke.

      1. Pookietoo

        Re: Irish virus of a couple of years back

        Rather more than a couple of years, I think.

  5. Anonymous Coward
    Anonymous Coward

    Re, XOR

    A few years back there was a version of this which tried to encrypt files but just resulted in massive data loss due to a coding error.

    The latest version of C-L from what I have been told messes with the MBR and hides in the spare sector pool which rarely gets accessed but can readily rebuild itself with a small code segment.

    As a side effect the infected drive sometimes fails to show up when put in a different machine and Windows install will then pick it up as unformatted resulting in total loss.

  6. ecofeco Silver badge

    Yeah, the average user will know how do this

    Not.

    1. Pookietoo

      Re: Yeah, the average user will know how do this

      If the average user is capable of searching for the phrase"XOR two files" then he'll find the first Google hit leads to a free utility to XOR two files together. All he then has to do is XOR the file with known content and its encrypted version, to produce a key file that can be used to unlock all the other encrypted files.

  7. Anonymous Coward
    Anonymous Coward

    Windows install will then pick it up as unformatted resulting in total loss.

    I have always considered the Windows installer as the best evidence that MS *can* do security if it wants to - I have yet to come across a better way to annihilate information on a disk. It's without equal.

    As a recovery mechanism, not so much.

  8. Last Bandit

    Is it me?

    Or does the end of the article look like an advert for malware?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like