ESET researchers recently conducted an assessment on the differences between two ransomware strains, CryptoFortress and TorrentLocker. These findings shed light on the unique characteristics of each malware, despite initial similarities in appearance and ransom message layout.
Initially, a blog post by Kafeine highlighted the distribution of a ransomware identified as CryptoFortress through the Nuclear Pack exploit kit. Although the ransom message and payment page resembled those of TorrentLocker, further analysis revealed significant differences between the two threats. It was discovered that the group behind CryptoFortress had merely appropriated the HTML templates and CSS design from TorrentLocker, while the actual malware code and operations diverged significantly.
In a comparative analysis, ESET researchers identified key distinctions between TorrentLocker and CryptoFortress. The propagation methods differed, with TorrentLocker primarily spreading through spam campaigns, while CryptoFortress utilized exploit kits for distribution. Additionally, the encryption mechanisms varied, with TorrentLocker using AES-256 CBC encryption and CryptoFortress employing AES-256 ECB encryption. Other notable variations included the presence of a hardcoded C&C server in TorrentLocker but not in CryptoFortress, as well as differences in the ransom page and payment page locations.
Despite these differences, both ransomware strains utilized RSA-1024 encryption for the AES key and employed different cryptographic libraries. Encryption methods also varied, with TorrentLocker encrypting a 2 Mb portion at the beginning of files, while CryptoFortress encrypted the first 50% of files up to 5 Mb in size. Payment methods differed as well, with TorrentLocker demanding a variable amount of Bitcoin, while CryptoFortress set a fixed payment of 1.0 Bitcoin.
Following Renaud Tabary’s comprehensive analysis of CryptoFortress, which corroborated ESET’s findings, it was observed that both TorrentLocker and CryptoFortress campaigns were concurrently active. The persistence of TorrentLocker via spam messages indicated an ongoing threat landscape, with both ransomware variants posing risks to users and organizations.
In conclusion, the differentiation between CryptoFortress and TorrentLocker exemplifies the evolving landscape of ransomware threats and the importance of accurate threat analysis. By understanding the distinct characteristics of each malware variant, cybersecurity professionals can better prepare and defend against ransomware attacks. ESET’s research provides valuable insights into these ransomware strains, highlighting the need for vigilance and security measures to safeguard against evolving cyber threats.