Crypto blunder makes TorrentLocker easy to crack

Posted by   Virus Bulletin on   Sep 10, 2014

Use of single XOR key leaves ransomware open to known-plaintext attack.

It has been said many times before: cryptography is hard. Earlier this year, the authors of the 'Bitcrypt' ransomware discovered this too, when they confused bytes and digits and made their encryption keys easy to crack.

'TorrentLocker' is a new kind of encryption ransomware that was first discovered by iSIGHT Partners last month. It uses components of both 'CryptoLocker' and 'Cryptowall', possibly the two biggest ransomware 'success' stories of the past year.

However, in a guest post for Sans Digital Forensics, three researchers from NIXU in Finland revealed that they have discovered that TorrentLocker makes a fairly basic cryptography blunder, making it relatively easy to recover encrypted files.

The researchers, Taneli Kaivola, Patrik Nisén and Antti Nuopponen, explain how TorrentLocker uses XOR to encrypt the files. XOR is a very simple operation between two sequences of bits; the output of the operation is a sequence that denotes whether the two input bits differ. If they do, the output bit is 1, otherwise it is 0.

A XOR K

In the case of a file A, seen as a series of bits, TorrentLocker uses a keystream K to produce the output A ⊕ K and uses this as the encrypted file, while the original file is discarded. If the keystream K is pseudo-randomly generated, the 'adversary' (in this case someone trying to retrieve the files) has no way of getting the content of the file A.

XOR is a very simple and fast operation, which has the nice property that ( A ⊕ K ) ⊕ K = A, so that decryption is easy for someone who does possess the keystream K.

Fortunately for victims of the ransomware, the malware authors made two basic mistakes. The first is that they only encrypted the first 2MB of each file; parts of the file beyond 2MB were left unencrypted. Moreover, and crucially, they used a single keystream for all files.

This makes TorrentLocker vulnerable to a known-plaintext attack: an 'attack' whereby someone possesses both an unencrypted file A and its encrypted equivalent A ⊕ K. This is actually rather likely - some of the encrypted files will have been sent to or received from third parties.

Using these two files, and the formula ( A ⊕ K ) ⊕ A = K, one can thus retrieve the keystream K. Moreover, if file A is at least 2MB in size, the full keystream is retrieved and all files can be decrypted.

It is always something of a relief that malware authors are humans too and make mistakes just like everyone else. Still, this isn't something one should count on: the best proactive measure against ransomware remains keeping backup copies of all important files.

Posted on 10 September 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

VB2021 localhost call for papers: a great opportunity

VB2021 localhost presents an exciting opportunity to share your research with an even wider cross section of the IT security community around the world than usual, without having to take time out of your work schedule (or budget) to travel.

New article: Excel Formula/Macro in .xlsb?

In a follow-up to an article published last week, Kurt Natvig takes us through the analysis of a new malicious sample using the .xlsb file format.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.