A Flawed Ransomware that Enables Victims to Evade Payment

A newly released strain of ransomware has been broken, allowing for victims to evade payment and access their locked data.

The Scraper ransomware, is in fact a Torlocker which was discovered in October last year and given the name Trojan-Ransom.Win32.Scrape. The ransomware encrypts a victim’s files including documents, video, images and database copies and demands a ransom of at least $300 to unlock and decrypt documents.

However, the Scraper ransomware has a flaw in encryption algorithms means in about 70 per cent of cases files can be decrypted without submitting to the attacker’s demands.

 Kaspersky Labs scrutinized the ransomware strain in detail and also mentioned in their blog post that victims can get their data back without giving into demands for money.

The crypto-ransom first appeared in an attack against Japanese users last year, later appeared in an English version. After landing on victim computer systems via the Andromeda botnet, the Trojan uses the Tor network and a proxy server to contact its owners.

After encrypting the files, the Trojan installs the following wallpaper on the user’s desktop with a link to its executable file.

As explained by Kaspersky, “The user’s files are encrypted with AES-256 with a randomly generated one-time key; an individual encryption key is created for each file. Then, a 512-byte service section is added to the end of each file, which consists of 32 bytes of padding, 4 bytes of the Trojan’s identifier, and 476 bytes of the employed AES key encrypted with RSA-2048.”

Victims can re-download the malicious code and notify its operators that the ransom has been paid through a dedicated TorLocker window. The data is then sent through to a command and control (C&C) server which will respond with a private RSA key if money has changed hands. The ransomware supports payments made in Bitcoin, UKash and PaySafeCard.

The victims are intimidated to make payment through a timer system which threatens to delete the key necessary to decode files.

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

The Complete OSINT Tutorial to Find Personal Information About Anyone

This article mainly focuses on how to discover a person's digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its...

How to find the password of hacked email addresses using OSINT

Open-source intelligence or OSINT is a potent technique, and it can give a lot of valuable information, if implemented correctly with the right strategy...

How to Identify Company’s Hacked Email Addresses Using Maltego & HaveIbeenPawned

This article is part of the Maltego OSINT tutorial, where you will learn to identify the already hacked account, and it’s password using the...

5 Key Vulnerabilities in Global Payroll

The cyber threat against payroll is growing in sophistication and frequency, according to the latest FBI cybercrime report. Many of these attacks exploit fixable...