CryptoFortress, is a new ransomware with possibilities file encryption. It looks similar to TorrentLocker, but its internal mechanism shows a different malware structure.
The message asking for the ransom that appears to the victim when the data on the computer is encrypted as in the case of TorrentLocker, which, as we reported, has been borrowed from CryptoLocker. Similarities have also been found on the payment page.
Security researchers report that their developers Crypto Fortress they took HTML templates and CSS code from TorrentLocker. However, common points do not stop there, since the code and encryption system available in the new ransomware as the distribution method are not the same.
Her researchers ESET (they recognize it as Win32 / Kryptik.DAPB) have created a list of all common points in their encryption malware, and besides the encryption algorithm (AES-256), encryption of the AES key (RSA-1024) and the fact that the payment page is hidden in the anonymous Tor network, they do not have many common points.
CryptoFortress is spread through exploit kits, not spam. The ransom page location is in the malware code, not in the C&C.
Επιπλέον, η κρυπτογραφική βιβλιοθήκη που χρησιμοποιείται από το CryptoFortress είναι η CryptoAPI της Microsoft, ενώ το TorrentLocker χρησιμοποιεί την open-source LibTomCrypt.
Another difference lies in the fact that the new malware encrypts the first half of the file or up to 5MB and the amount of ransom it requests is around 500 dollars to be paid to Bitcoin.
The first CryptoFortress report appeared at the beginning of the month by the malware researcher Caffeine, which monitors changes in exploit kits. An indication of infection is that the files use "FRTRSS" as an extension.
Analysis by security researchers at security firm Lexsi revealed that the AES key used to encrypt data on the hard drive was stored locally in the HTML file (the file is called “READ IF YOU WANT YOUR FILES BACK”), and is protected by a strong public insurance-key (RSA 1024).
In addition to local units, ransomware also beats mapped drives and shared network files by virtually destroying it. Prefers backups to prevent files from being restored.
