Far from being the geniuses that the media like to portray, malicious hackers can make mistakes just as well as the next person… and that’s certainly true of whoever was behind the TorrentLocker ransomware.
Finnish boffins Taneli Kaivola, Patrik Nisén and Antti Nuopponen of Nixu Oy have discovered that there is a way for victims of TorrentLocker to recover the contents of their encrypted files, without handing any money over to the criminals behind the attack.
According to a blog post published by the trio, it is child’s play to recover your files if you have an unencrypted backup version of just one of the files that has been meddled with by TorrentLocker.
As the algorithm is a symmetric one, the same key is used both to encrypt and decrypt data. Because the malware program needs to have the key in the infected machine at some point of time to be able to encrypt the files, recovering the key from the infected machine could be possible, at least in theory.
Stream ciphers can be strong, but there are some fundamental issues that must be avoided in order to keep the encryption cryptographically secure. One of the most important things is not to use the keystream more than once.
In our analysis, we had samples of both encrypted and plaintext versions of the same files. As the encryption was done by combining the keystream with the plaintext file using the XOR operation, we were able to recover the keystream used to encrypt those files by simply applying XOR between the encrypted file and the plaintext file. We tested this with several samples of the affected files we had and realized that the malware program uses the same keystream to encrypt all the files within the same infection. This was a cryptographic mistake on the malware author’s part, as you should never use the keystream more than once.
If this kind of mistake had been made by a technology company trusted to encrypt our communications and keep them secure from hackers, we would be up in arms about such a sloppy implementation of an encryption algorithm.
As it is, however, I guess we should all feel some cheer for once that a programmer made a dumb mistake. If they hadn’t coded TorrentLocker so poorly, it could cause as much harm as other recent examples of ransomware like CryptoLocker and CryptoWall.
There is some bad news though—it seems highly likely that the malware authors will issue an update for TorrentLocker shortly, and chances are that the new version will have fixed the cryptographic bug.
Such bugs in TorrentLocker don’t mean that the ransomware problem is over. Criminals have proven in the last year or so that they can amass a considerable fortune by spreading malware designed to take victims’ files hostage. Other malicious hackers are bound to see that ransomware can generate an easy income, provided they code it competently.
My advice? Make sure that you keep strong defenses in place and rigorously adopt a backup regime, which includes keeping copies of your most important data separate from your network to prevent that being compromised at the same time as the rest of your files.