TorLocker victims can decrypt most files without paying ransom

Crypto-ransomware rarely means good news for targets, but when it comes to TorLocker malware (detected as Trojan-Ransom.Win32.Scraper by Kaspersky Lab), the victims can decrypt most of the encrypted files without parting with their hard-earned cash.

Initially used to target Japanese users, later variants of the malware were also aimed at English speakers. Despite few code changes, the file encryption algorithm remained the same.

“Our analysis has shown that Trojan-Ransom.Win32.Scraper was presumably written in assembler, which is unusual for this type of malware. The Trojan uses the Tor network to contact its ‘owners’ – something that is apparently becoming a norm for the new generation of ransomware – and the proxy server polipo,” Kaspersky Lab researchers explain.

“If the malware gets deleted by a security product after the files are encrypted, the Trojan installs bright red wallpaper on the Desktop, containing a link to its executable file. Thus, users have a chance to re-install the Trojan and report to its owners that they have paid the ransom: to do so, users need to enter payment details in a dedicated TorLocker window.”

The Trojan encrypts a wide variety of files (office documents, video and audio files, images, archives, databases, certificates, etc.) with AES-256 + RSA-2048 and asks the user to pay $300 or more to decrypt them.

But the malware’s implementation of cryptography algorithms is flawed, meaning that victims can decrypt more than 70 percent of the encrypted files themselves.

The researchers didn’t explain what errors the malware designers made, but they have helpfully created and made available a tool (ScraperDecryptor) that can be used to try to decrypt the files.