CryptoFortress, a TorrentLocker clone that also encrypts unmapped network shares

Update 3/7/15: It appears that this is just a copycat and not a new version of TorrentLocker. According to a researcher at ESET, the devs behind CryptoFortress just stole the HTML and site layout. See this tweet: https://twitter.com/marc_etienne_/status/573842470691344384

 

A new encrypting ransomware called CryptoFortress was discovered yesterday by security researcher Kafeine that appears to be either a copycat or a new version of TorrentLocker. When looking at the ransom note and decryption site for both CryptoFortress and TorrentLocker the differences between the two appear to be small. On further inspection, though, we have discovered that CryptoFortress includes the new and nasty feature of being able to encrypt files over network shares even if they are not mapped to a drive letter.
 

Normally when a ransomware encrypts your data it does so by retrieving a list of drive letters on a computer and then encrypting any data on them. Therefore any network shares on the same network would be safe as long as they were not mapped to a drive letter. Unfortunately this all changes with CryptoFortress as this ransomware will also attempt to enumerate all open network SMB shares and encrypt any that are found. As you can see from the image below, CryptoFortress is successfully able to encrypt the file test.txt in an open share over SMB on my test network. This new ability changes the threat landscape for all server and network administrators and it is even more important than ever to properly secure your shared folders with strong permissions.
 

When CryptoFortress runs it will encrypt your data using RSA encryption and add the .frtrss extension to the end of the encrypted file. In every folder that a file is encrypted, it will also create a ransom note called READ IF YOU WANT YOUR FILES BACK.html. This note, which is shown above, contains links to a TOR Command & Control server where you can find your ransom amount, which is currently 1 bitcoin, and the address it should be sent to. Last, but not least, CryptoFortress will issue the following command to delete all Shadow Volume Copies so you are unable to restore your files from them:
 

vssadmin delete shadows /all /quiet

Without a doubt, encrypting non-mapped network shares makes it a big problem for network administrators. It is now a requirement for backup strategies to use drive rotation rather than rely on persistent attached storage or network shares as your backup medium. This makes cloud backups even a more attractive option as a safe and secure method of backing up your data without being affected by ransomware.

Thanks to Nathan Scott for helping to analyze this infection. You can also find more information about this infection from the analysis by White Hat Mike.

Thanks for the article Lawrence.

I was wondering how long it would take them to start looking for network share, I guess that answered this question. One more headache to worry about. Thanks for the post

I was wondering how long it would take them to start looking for network share, I guess that answered this question. One more headache to worry about. Thanks for the post

 

I have seen other variants that enumerate network shares without logical mapping to a drive letter before, but they are extremely uncommon and I have never actually came across one of them in-the-wild or even seen many reports of ransomware with such capability.  It's unknown how large the campaign is that is pushing this variant, but the fact that is has been confirmed to be pushed as a payload of Nuclear Pack, in addition the unique capabilties that are introduced with CryptoFortress, leads me to believe that its prevalence has a great potential for growth in-the-wild.

Another great write up grinler, and another trashy bit of software! Hmm... I guess I may be setting up some local FTP servers and removing any mapped drives/open network drives. I had already thought about this but I know users are not going to "want" to learn something new.

Edited by zingo156, 05 March 2015 - 04:41 PM.

If you do not want to setup a cloud backup, i know there are backup solutions where you install an agent on each computer that handles that backups. That way you avoid UNC shares and drive mappings.

Thanks for letting all us know

Thanks for the article Grinler.

It's rapidly getting to the point where the only safe Internet connection is a broken one 

It's rapidly getting to the point where the only safe Internet connection is a broken one 

Which we all know is not feasible

When you describe it attacking other things on a network, does this mean that any computers sharing a router or wi-fi connection point are going to be attacked if any one of them is infected? For example if you had a home network of three computers, the network being that they shared a wi-fi access point, wuld an infection on any one of them then encrypt data on all the others, or does this only apply to networks of the type where everything is stored on a central server and the physical machines dotted around the building are just access points and have no files stored on them?

When you describe it attacking other things on a network, does this mean that any computers sharing a router or wi-fi connection point are going to be attacked if any one of them is infected? For example if you had a home network of three computers, the network being that they shared a wi-fi access point, wuld an infection on any one of them then encrypt data on all the others, or does this only apply to networks of the type where everything is stored on a central server and the physical machines dotted around the building are just access points and have no files stored on them?

 

It does not self-replicate itself and traverse the network in the same fashion that worm does.  It will only affect files / documents on another device if they are natively accessible from the initially affected device, i.e. a shared folder (requiring no authentication), an open network share, etc.  The encryption of files on a device other than the initially compromised device is most commonly seen when an organization has a [file] server that employees all have access to, for centralized storage of data and other documentation.

Delivery Method:  Is this known?

 

Is it still through infected emails and the user clicks away?  Is it still limited to the users rights at the time of infection?

According to Kafeine, it is exploit kits.

Delivery Method:  Is this known?

 

Is it still through infected emails and the user clicks away?  Is it still limited to the users rights at the time of infection?

 

As Grinler stated above, Kafeine was searching for a different piece of malware being pushed by an exploit kit and accidentally encountered the CryptoFortress ransomware.  The only confirmed delivery method that I've heard of so far is via exploit kit, and in Kafeine's case, the Nuclear Pack EK.