Crypto blunder makes TorrentLocker easy to crack

Posted by   Virus Bulletin on   Sep 10, 2014

Use of single XOR key leaves ransomware open to known-plaintext attack.

It has been said many times before: cryptography is hard. Earlier this year, the authors of the 'Bitcrypt' ransomware discovered this too, when they confused bytes and digits and made their encryption keys easy to crack.

'TorrentLocker' is a new kind of encryption ransomware that was first discovered by iSIGHT Partners last month. It uses components of both 'CryptoLocker' and 'Cryptowall', possibly the two biggest ransomware 'success' stories of the past year.

However, in a guest post for Sans Digital Forensics, three researchers from NIXU in Finland revealed that they have discovered that TorrentLocker makes a fairly basic cryptography blunder, making it relatively easy to recover encrypted files.

The researchers, Taneli Kaivola, Patrik Nisén and Antti Nuopponen, explain how TorrentLocker uses XOR to encrypt the files. XOR is a very simple operation between two sequences of bits; the output of the operation is a sequence that denotes whether the two input bits differ. If they do, the output bit is 1, otherwise it is 0.

A XOR K

In the case of a file A, seen as a series of bits, TorrentLocker uses a keystream K to produce the output A ⊕ K and uses this as the encrypted file, while the original file is discarded. If the keystream K is pseudo-randomly generated, the 'adversary' (in this case someone trying to retrieve the files) has no way of getting the content of the file A.

XOR is a very simple and fast operation, which has the nice property that ( A ⊕ K ) ⊕ K = A, so that decryption is easy for someone who does possess the keystream K.

Fortunately for victims of the ransomware, the malware authors made two basic mistakes. The first is that they only encrypted the first 2MB of each file; parts of the file beyond 2MB were left unencrypted. Moreover, and crucially, they used a single keystream for all files.

This makes TorrentLocker vulnerable to a known-plaintext attack: an 'attack' whereby someone possesses both an unencrypted file A and its encrypted equivalent A ⊕ K. This is actually rather likely - some of the encrypted files will have been sent to or received from third parties.

Using these two files, and the formula ( A ⊕ K ) ⊕ A = K, one can thus retrieve the keystream K. Moreover, if file A is at least 2MB in size, the full keystream is retrieved and all files can be decrypted.

It is always something of a relief that malware authors are humans too and make mistakes just like everyone else. Still, this isn't something one should count on: the best proactive measure against ransomware remains keeping backup copies of all important files.

Posted on 10 September 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Nominations opened for sixth Péter Szőr Award

Virus Bulletin is seeking nominations for the sixth annual Péter Szőr Award.

Haroon Meer and Adrian Sanabria to deliver VB2019 closing keynote

New additions to the VB2019 conference programme include a closing keynote address from Thinkst duo Haroon Meer and Adrian Sanabria and a talk on attacks against payment systems.

Free VB2019 tickets for students

Virus Bulletin is excited to announce that, thanks to generous sponsorship from Google Android, we are able to offer 20 free tickets to students who want to attend VB2019.

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.