New CryptoTorLocker2015 Ransomware discovered and easily decrypted

As ransomware infections continue to evolve with more sophisticated technology and payment systems, today we introduce a new one called CryptoTorLocker2015 that throws all of these advances out the window. A member recently posted about CryptoTorLocker 2015 on our forums and I was able to track down a sample of the installer. Once installed, I could only stare at its barely intelligible ransom note, patched together wallpaper image, static payment address, and easily defeated XOR encryption. Unfortunately, people have paid the ransom from this infection, which means ransomware doesn't have to look pretty to make money.

It is unsure how CryptoTorLocker 2015 is installed on a system, but once installed it will scan your computer and infect any data files and shortcuts that it finds. As it encrypts each file, it will append .CryptoTorLocker2015! to the end of each filename. So a file called invoice.doc would become invoice.doc.CryptoTorLocker2015!. It will also create a ransom note called HOW TO DECRYPT FILES.txt in each directory it encounters. The text of the ransom note is below. Please note that this ransom note was actually written this way.
 

Your important files strong encryption RSA-2048 produces on this computer:Photos,Videos,documents,usb disks etc.Here is a complete list of encrypted files,and you can personally verify this.CryptoTorLocker2015! which is allow to decrypt and return control to all your encrypted files.To get the key to decrypt files you have to pay 0.5 Bitcoin 100$ USD/EUR.
Just after payment specify the Bitcoin Address.Our robot will check the Bitcoin ID and when the transaction will be completed, you'll receive activation,Purchasing Bitcoins,Here our Recommendations 1. Localbitcoins.com This is fantastic service,Coinbase.com Exchange,CoinJar =Based in Australia,We Wait In Our Wallet Your Transaction
WE GIVE YOU DETAILS! Contact ME if you need help My Email = information@jupimail.com AFTER YOU MAKE PAYMENT BITCOIN YOUR COMPUTER AUTOMATIC DECRYPT PROCEDURE START! YOU MUST PAY Send 0.5 BTC To Bitcoin Address: 1KpP1YGGxPHKTLgET82JBngcsBuifp3noW

When it has finished encrypting your data it will then change your wallpaper to a patchwork of images copied from other ransomware infections. If anything, it may be worth paying the ransom so you do not have to look at this wallpaper anymore.
 

Finally, the infection will display another alert about your files being encrypted and then displays a password prompt. Supposedly if you paid the ransom, the developer would send you a password, which you would enter to decrypt your files.
 

The fact that there was no discernable network traffic when it was installed indicated that the decryption key was built into the executable itself or stored somewhere on the computer. Also a password prompt hinted that it may be possible to patch the executable to make it think that any password entered was the correct one in order to begin the decryption process. When security researcher Nathan Scott looked at the executable, he confirmed that you could simply bypass the password to begin decrypting, but even better it was using XOR encryption. Once this was discovered he was able to quickly find the XOR key and whip up a decrypter for anyone who was affected.

With that said, for those who are infected with CryptoTorLocker2015, you can easily decrypt your files by downloading and running Nathan Scott's decrypter. It should be noted that some anti-virus programs are detecting this infection based on its CryptoTorLocker2015 name and as that same string is used in the decrypter, some AV programs may detect it as malicious. This is a false positive, but if you are concerned about the safety of the decryption tool, you can always copy your encrypted data to a virtual machine and run the decrypter from there.

The decrypter can be downloaded from this link: http://ransomwareanalysis.com/CT2015_Decrypter.zip

Once you start the decrypter, select a folder to scan and any encrypted files will be decrypted. When using the tool, it is suggested that you select the root of the drive such as C:\ and let the decrypter recursively scan your entire drive. If you are finding that some files, most likely shortcuts, are not properly being decrypted, you should run the program with Administrator privileges.
 

As always, if you have any questions, please feel free to post them here.



Known CryptoTorLocker2015 Ransomware Files:
 

%Temp%\HOW TO DECRYPT FILES.txt
%Temp%\<random>.bmp
%Temp%\<random>.exe

Known CryptoTorLocker2015 Ransomware Registry keys:

HKLM\SOFTWARE\Classes\.CryptoTorLocker2015!
HKLM\SOFTWARE\Classes\.CryptoTorLocker2015!\@	= "PRPASCBHJSZLMOM"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\@	= "CRYPTED!"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\DefaultIcon\@ = "%Temp%\<random>.exe,0"
HKLM\SOFTWARE\Classes\PRPASCBHJSZLMOM\shell\open\command\@ = "%Temp%\<random>.exe"
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter	= "%Temp%\<random>.exe"
HKCU\Control Panel\Desktop\Wallpaper = "%Temp%\<random>.bmp"

Host File Modifications:

93.189.44.187 dmidybmfxsaq.biz
93.189.44.187 aacthvhqbhbg.org
93.189.44.187 arlsolqovltp.co.uk
93.189.44.187 fyhatdpptohp.org
93.189.44.187 weotnaktbwgr.ru
93.189.44.187 ovenbdjnihhdlb.net

Thanks to Grinler for the info, and kudos to Nathan for the decrypter

Thanks for the info Lawrence.

Hopefully now people will search and decrypt their files before paying.

Dear Lawrence

We tried this decryptor, but when we ran this, our hard disk got corrupted and now nothing is opening. When we are starting our computer we are getting following message

 

“Disk Error read occurred

Press Ctrl+Alt+Del to restart”

The decryption application post is a quite simple application, and in no way could corrupt a hard drive. Perhaps your system has been unstable, but the decrypter wouldn't be the cause of it.

I Hope I Never Get It!

Nathan is the man today for helping me get rid of the crypto locker on files in my network. 

glad it worked for u billy

1)  What keeps someone from copying this malware, changing the BitCoin address and simply not decrypting the data?

 

2)  What prevented the author or the software from using a stronger encryption algorithm.  It's just a matter of time before the only way to get the data back is by paying.  What kept the malware from having unbreakable encryption?

1)  What keeps someone from copying this malware, changing the BitCoin address and simply not decrypting the data?

Good question. These people look at it as a business, no matter how illegal it is. They know that if they screw one person over, this will become known and noone will pay the ransom again. They are here to make money.

2)  What prevented the author or the software from using a stronger encryption algorithm.  It's just a matter of time before the only way to get the data back is by paying.  What kept the malware from having unbreakable encryption?

Infrastructure costs and technical experience. Many of these ransomware programs are kits sold by a developer and require little or no technical or programming knowledge. The harder encryptions that use a public and private key pair require more advanced infrastructure and payment systems.

When attempting to download from http://ransomwareanalysis.com/CT2015_Decrypter.zip , Windows Defender pops-up stating it is taking action to clean detected malware?  Idea’s??

Its a false positive. From the first post:

. It should be noted that some anti-virus programs are detecting this infection based on its CryptoTorLocker2015 name and as that same string is used in the decrypter, some AV programs may detect it as malicious.

Thanks Nathan, at last it worked. We were able to recover our data with help of this encryptor. Thanks a lot for your support. Our hard disk actually got crashed due to bad sectors and wasnt because of this encryptor.

I tried it and its not working. any other suggestions.