The Scraper ransomware, is in fact a Torlocker which was discovered in October last year and given the name Trojan-Ransom.Win32.Scrape. The ransomware encrypts a victim’s files including documents, video, images and database copies and demands a ransom of at least $300 to unlock and decrypt documents.
However, the Scraper ransomware has a flaw in encryption algorithms means in about 70 per cent of cases files can be decrypted without submitting to the attacker’s demands.
Kaspersky Labs scrutinized the ransomware strain in detail and also mentioned in their blog post that victims can get their data back without giving into demands for money.
The crypto-ransom first appeared in an attack against Japanese users last year, later appeared in an English version. After landing on victim computer systems via the Andromeda botnet, the Trojan uses the Tor network and a proxy server to contact its owners.
After encrypting the files, the Trojan installs the following wallpaper on the user’s desktop with a link to its executable file.
As explained by Kaspersky, “The user’s files are encrypted with AES-256 with a randomly generated one-time key; an individual encryption key is created for each file. Then, a 512-byte service section is added to the end of each file, which consists of 32 bytes of padding, 4 bytes of the Trojan’s identifier, and 476 bytes of the employed AES key encrypted with RSA-2048.”
Victims can re-download the malicious code and notify its operators that the ransom has been paid through a dedicated TorLocker window. The data is then sent through to a command and control (C&C) server which will respond with a private RSA key if money has changed hands. The ransomware supports payments made in Bitcoin, UKash and PaySafeCard.
The victims are intimidated to make payment through a timer system which threatens to delete the key necessary to decode files.