Ransomware strain breaks, victims avoid payment

A newly-released ransomware strain's poor coding allows victims in most cases to access their files without parting with a cent.
Written by Charlie Osborne, Contributing Writer
A new strain of ransomware has been broken, allowing for victims to circumvent payment and access their locked data.

The Scraper ransomware, originally known as Torlocker, was discovered in October last year and granted the name Trojan-Ransom.Win32.Scrape. The ransomware encrypts a victim's files -- including documents, video, images and database copies -- and demands a ransom of at least $300 to unlock and decrypt documents.

However, due to errors in encryption algorithms, in 70 percent of cases files can be unlocked without submitting to the attacker's demands.

In a blog post, Kaspersky Labs analyzes the ransomware strain in detail, and within the security company's findings is the fact that in most cases, victims can get their data back without giving into demands for money.

First appearing in an attack against Japanese users last year, the crypto-ransomware samples obtained by Kaspersky come in both Japanese and English versions. The Trojan uses the Tor network and a proxy server to contact its owners after landing on victim computer systems via the Andromeda botnet.

After demanding upwards of $300, if the malware is detected and deleted by an antivirus program -- after files are encrypted -- the Trojan installs the following wallpaper on the user's desktop with a link to its executable file.


Victims can re-download the malicious code and notify its operators that the ransom has been paid through a dedicated TorLocker window. The data is then sent through to a command and control (C&C) server which will respond with a private RSA key if money has changed hands. The ransomware supports payments made in Bitcoin, UKash and PaySafeCard.

Victims are pressured to pay up through a timer system which threatens to delete the key necessary to decrypt files.

See also: The ransomware guide

Scraper encrypts files through both AES-256 and RSA-2048 protocols. However, a fundamental flaw in the ransomware creator's implementation of cryptographic algorithms means files can be decrypted without payment, according to the security team. In over 70 percent of cases, Kaspersky Labs' ScraperDecryptor utility can be used to clean systems of the malicious code and more likely than not restore a device's original files.

Unfortunately, ransomware has become a popular way to extract money from victims who inadvertently download the malware. The fear factor stems from ransomware often masquerading as law enforcement and alleging that the victim has been viewing illegal material or similar, and a time reference can cause panic which will in turn pressure a victim to pay up rather than lose their files.

In March, a new variant of the Cryptolocker ransomware which targets gamers. Dubbed TeslaCrypt, the malware strain impacts data files for games distributed on compromised websites, and uses the Angler exploit kit to lock systems and demand payment.

Read on: In the world of security

Editorial standards