# CryptoFortress mimics TorrentLocker but is a different ransomware **[welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/](https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/)** March 9, 2015 ESET assess the differences between CryptoFortress and TorrentLocker: two very different strains of ransomware. 9 Mar 2015 - 05:25PM ESET assess the differences between CryptoFortress and TorrentLocker: two very different strains of ransomware. Last week, [Kafeine published a blog post about a ransomware being distributed by the](https://twitter.com/kafeine) Nuclear Pack exploit kit. This ransomware identify itself as “CryptoFortress”, but the ransom [message and payment page both looks like an already known ransomware: TorrentLocker.](https://www.welivesecurity.com/2014/12/16/torrentlocker-racketeering-ransomware-disassembled-by-eset-experts/) After further analysis, ESET researchers found out is the two threats are in fact very different. **It appears the group behind CryptoFortress has stolen the HTML templates with its** **CSS. The malware code and the scheme are actually very different. Here is a table** summering the similarities and differences: ----- **TorrentLocker** **CryptoFortress** **Propagation** Spam Exploit kit **File encryption** AES-256 CBC AES-256 ECB **Hardcoded C&C** **server** **Ransom page** **location** **Payment page** **location** **AES key** **encryption** **Cryptographic** **library** **Encrypted portion** **of files** Yes No Fetched from C&C server Included in malware RSA-1024 RSA-1024 LibTomCrypt Microsoft CryptoAPI 2 Mb at beginning of file First 50% of the file, up to 5 Mb Onion-routed (but same server as the hardcoded C&C) Onion-routed **Payment** Bitcoin (variable amount) 1.0 Bitcoin CryptoFortress ransom page ----- TorrentLocker ransom page Differences in the HTML pages [Last Friday, Renaud Tabary from Lexsi published a complete analysis of the new ransomware.](http://www.lexsi-leblog.com/cert-en/cryptofortress.html) ESET researchers have independently analyzed the CryptoFortress samples before Lexsi released the details. The technical details described in the article matches our findings. ----- ESET Telemetry also shows TorrentLocker campaign is still propagating via spam messages. Both campaign are now running in parallel. ## References CryptoFortress: Teerac.A (aka TorrentLocker) got a new identity, [http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html](http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html) CryptoFortress, [http://www.lexsi-leblog.com/cert-en/cryptofortress.html](http://www.lexsi-leblog.com/cert-en/cryptofortress.html) ## Sample analyzed **SHA-1 sum** **ESET Detection name** **[d7085e1d96c34d6d1e3119202ab7edc95fd6f304](https://www.virustotal.com/en/file/2b1f36a4c856b989a941f454fcce3a5e9670b21de105c5014450cbdaa27ed1cb/analysis/)** Win32/Kryptik.DAPB ## CryptoFortress public key 1 2 3 4 5 6 -----BEGIN PUBLIC KEY---- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmeXVlPGxKoOyvZgLUoyDdzPEH 8D6gKlAdZVKmbv2RTjjTAcyOY/40zloPX+iJupuvwO1B/yXlsHZD8y0x/jv7v6ML jHxetmZxUjqv9gLQJE8mJBbU/h0qwc9R7LQwcMapLxvv9O6aMa3Bimjp7bP7WY/9 fXgr1m/wA6Tz/kxF+wIDAQAB -----END PUBLIC KEY---- 9 Mar 2015 - 05:25PM ### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center Newsletter ----- ### Discussion -----