Virus Type: Malware / Ransomware
TorrentLocker (Trojan-Ransom.Win32.Rack in Kaspersky Lab classification) is a type of cryptographic ransomware, which is gaining increasing popularity nowadays.
The first modifications of this family were observed in February 2014, and as of December 2014 at least five major releases of this malware have been discovered.
Trojan-Ransom.Win32.Rack uses a symmetric block cipher AES to encrypt the victim’s files and an asymmetric cipher RSA to encrypt the AES key. Versions 1-3 contain a flaw which makes it possible to decrypt the victim’s files, and this has been implemented in our RannohDecryptor utility.
Unfortunately, starting from version four, the malware authors have identified and fixed this flaw, rendering this decryption method impossible. Current versions of this malware demand ransom payments through the Bitcoin system and host its payment webpages in the Tor network.
All versions of TorrentLocker are successfully detected by a wide range of Kaspersky Lab technologies: behavioral (verdicts PDM:Trojan.Win32.Generic, HEUR:Trojan.Win32.Generic), signature-based (verdicts Trojan-Ransom.Win32.Rack.*), and cloud-based via KSN (verdict UDS:DangerousObject.Multi.Generic).
The most effective detection (behavior-based) is provided by our proactive component. This does not rely on the content of an executable file but makes its judgment based on the action it performs, allowing us to detect any encryption attempts regardless of whether the malicious sample is new or has been seen before. What’s more, our products incorporate a new cryptomalware countermeasures subsystem which can automatically roll back malicious changes to users’ files. More information on this system is available in our whitepaper.
The best way to guarantee the safety of critical data is to have a consistent backup schedule. Backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that is disconnected immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and deleted or encrypted by the ransomware in the same way as the original files.
Even with a regular backup schedule the most recent files might be left unprotected and could be lost to a ransomware attack. An antimalware solution with up-to-date bases and activated components is not only essential to ensure data safety, but also protects the system against other kinds of cyberthreats.
Modern malware is often propagated by means of social engineering so it is crucial to be aware of the most commonly used tricks, such as fake email notifications from various well-known services and organizations. These counterfeit email messages commonly contain malware and they are often hard to distinguish from legitimate communications. That’s why users should pay attention to every detail, remain constantly alert and only open attachments from trusted sources to guard against the risk of infection.