iSIGHT partners discovered a new ransomware strain, which uses components of CryptoLocker and CryptoWall but underneath the surface, the code is completely different from these two earlier ransomware families. They have called this new strain ‘TorrentLocker’.
Despite its unique code, the malware tricks victims into thinking that it's CryptoLocker by copycatting the CryptoLocker ransom message. The design of the ransom page looks more like CryptoWall. The malware installs itself on the infected machine and injects a binary into a legitimate process.
This injected binary contains the functionality to encrypt files using the Rijndael algorithm. Once files are encrypted, the victim is prompted with a ransom message and a decryption deadline. The victim is required to purchase bitcoins and send the payment to the Bitcoin address provided.
The malware and its configuration reside in the Windows Registry for continued persistence on the infected machine. The registry contains items such as the original binary, ransom message, install locations, autorun key and number of encrypted files. This strain has been spotted in Australia first, apparently the bad guys are using the aussies as their beta test and then go worldwide. More at: http://www.isightpartners.com/2014/08/analysis-torrentlocker-new-strain-malware-using-components-cryptolocker-cryptowall/#sthash.PB0gegJd.dpuf
