CryptoFortress, is a new ransomware with file encryption capabilities. It looks like TorrentLocker, but its internal mechanism shows a different malware structure.
The message asking for the ransom that appears to the victim when the data on the computer is encrypted as in the case of TorrentLocker, which, as we have mentioned, has been borrowed from CryptoLocker. Similarities have also been found on the payment page.
Security researchers report that their developers CryptForce they took HTML templates and CSS code from TorrentLocker. However, common points do not stop there, since the code and encryption system available in the new ransomware as the distribution method are not the same.
CryptoFortress is spread through exploit kits, not spam. The location of the ransom page is located in the malware code, and not in the C & C control center.
In addition, the cryptographic library used by CryptoFortress is Microsoft's CryptoAPI, while TorrentLocker uses the open-source LibTomCrypt.
Another difference lies in the fact that the new malware encrypts the first half of the file or up to 5MB and the amount of ransom it requests is around 500 dollars to be paid to Bitcoin.
The first CryptForce report was released early in the month by the malware researcher Caffeine, who monitors the exploit kits changes. An indication of the infection is that the files use "FRTRSS."
The analysis by security investigators of the Lexsi security company revealed that the AES key used to encrypt data on the hard disk was locally stored in the HTML file (the file is called "READ IF YOU WANT YOUR FILES BACK"), and is protected by strong public-key (RSA 1024).
In addition to local units, ransomware also beats mapped drives and shared network files by virtually destroying it. Prefers backups to prevent files from being restored.