CryptoFortress, is a new ransomware with possibilities file encryption. It looks similar to TorrentLocker, but its internal mechanism shows a different malware structure.
The message asking for the ransom that appears to the victim when the data on the computer is encrypted as in the case of TorrentLocker, which, as we reported, has been borrowed from CryptoLocker. Similarities have also been found on the payment page.
Security researchers report that their developers Crypto Fortress they took HTML templates and CSS code from TorrentLocker. However, common points do not stop there, since the code and encryption system available in the new ransomware as the distribution method are not the same.
Her researchers ESET (they recognize it as Win32/Kryptik.DAPB) created a list of all the common points found in the encryption malware it uses, and except from the encryption algorithm (AES-256), the AES key encryption (RSA-1024) and the fact that the payment page is hidden in the anonymous Tor network, they don't have much in common.
CryptoFortress is spread through exploit kits, not spam. The ransom page location is in the malware code, not in the C&C.
Επιπλέον, η κρυπτογραφική βιβλιοθήκη που χρησιμοποιείται από το CryptoFortress είναι η CryptoAPI της Microsoft, ενώ το TorrentLocker χρησιμοποιεί την open-source LibTomCrypt.
Another difference lies in the fact that the new malware encrypts the first half of the file or up to 5MB and the amount of ransom it requests is around 500 dollars to be paid to Bitcoin.
The first CryptoFortress report appeared at the beginning of the month by the malware researcher Caffeine, which monitors changes in exploit kits. An indication of infection is that the files use "FRTRSS" as an extension.
The analysis by the researchers better safetyς της εταιρείας ασφαλείας Lexsi αποκάλυψε ότι το κλειδί AES που χρησιμοποιείται για την κρυπτογράφηση των data on the hard drive was stored locally in the HTML file (the file is called “READ IF YOU WANT YOUR FILES BACK”), and is protected by a strong public-key (RSA 1024).
In addition to local units, ransomware also beats mapped drives and shared network files by virtually destroying it. Prefers backups to prevent files from being restored.