Crypto blunder makes TorrentLocker easy to crack

Posted by   Virus Bulletin on   Sep 10, 2014

Use of single XOR key leaves ransomware open to known-plaintext attack.

It has been said many times before: cryptography is hard. Earlier this year, the authors of the 'Bitcrypt' ransomware discovered this too, when they confused bytes and digits and made their encryption keys easy to crack.

'TorrentLocker' is a new kind of encryption ransomware that was first discovered by iSIGHT Partners last month. It uses components of both 'CryptoLocker' and 'Cryptowall', possibly the two biggest ransomware 'success' stories of the past year.

However, in a guest post for Sans Digital Forensics, three researchers from NIXU in Finland revealed that they have discovered that TorrentLocker makes a fairly basic cryptography blunder, making it relatively easy to recover encrypted files.

The researchers, Taneli Kaivola, Patrik Nisén and Antti Nuopponen, explain how TorrentLocker uses XOR to encrypt the files. XOR is a very simple operation between two sequences of bits; the output of the operation is a sequence that denotes whether the two input bits differ. If they do, the output bit is 1, otherwise it is 0.

A XOR K

In the case of a file A, seen as a series of bits, TorrentLocker uses a keystream K to produce the output A ⊕ K and uses this as the encrypted file, while the original file is discarded. If the keystream K is pseudo-randomly generated, the 'adversary' (in this case someone trying to retrieve the files) has no way of getting the content of the file A.

XOR is a very simple and fast operation, which has the nice property that ( A ⊕ K ) ⊕ K = A, so that decryption is easy for someone who does possess the keystream K.

Fortunately for victims of the ransomware, the malware authors made two basic mistakes. The first is that they only encrypted the first 2MB of each file; parts of the file beyond 2MB were left unencrypted. Moreover, and crucially, they used a single keystream for all files.

This makes TorrentLocker vulnerable to a known-plaintext attack: an 'attack' whereby someone possesses both an unencrypted file A and its encrypted equivalent A ⊕ K. This is actually rather likely - some of the encrypted files will have been sent to or received from third parties.

Using these two files, and the formula ( A ⊕ K ) ⊕ A = K, one can thus retrieve the keystream K. Moreover, if file A is at least 2MB in size, the full keystream is retrieved and all files can be decrypted.

It is always something of a relief that malware authors are humans too and make mistakes just like everyone else. Still, this isn't something one should count on: the best proactive measure against ransomware remains keeping backup copies of all important files.

Posted on 10 September 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.