CryptoFortress mimics TorrentLocker but is a different ransomware

Last week, Kafeine published a blog post about a ransomware being distributed by the Nuclear Pack exploit kit. This ransomware identify itself as “CryptoFortress”, but the ransom message and payment page both looks like an already known ransomware: TorrentLocker.

After further analysis, ESET researchers found out is the two threats are in fact very different. It appears the group behind CryptoFortress has stolen the HTML templates with its CSS. The malware code and the scheme are actually very different. Here is a table summering the similarities and differences:

  TorrentLocker CryptoFortress
Propagation Spam Exploit kit
File encryption AES-256 CBC AES-256 ECB
Hardcoded C&C server Yes No
Ransom page location Fetched from C&C server Included in malware
Payment page location Onion-routed (but same server as the hardcoded C&C) Onion-routed
AES key encryption RSA-1024 RSA-1024
Cryptographic library LibTomCrypt Microsoft CryptoAPI
Encrypted portion of files 2 Mb at beginning of file First 50% of the file, up to 5 Mb
Payment Bitcoin (variable amount) 1.0 Bitcoin


CryptoFortress ransom page

CryptoFortress ransom page

TorrentLocker ransom page

TorrentLocker ransom page

Differences in the HTML pages

Differences in the HTML pages

Last Friday, Renaud Tabary from Lexsi published a complete analysis of the new ransomware. ESET researchers have independently analyzed the CryptoFortress samples before Lexsi released the details. The technical details described in the article matches our findings.

ESET Telemetry also shows TorrentLocker campaign is still propagating via spam messages. Both campaign are now running in parallel.


CryptoFortress: Teerac.A (aka TorrentLocker) got a new identity,


Sample analyzed

SHA-1 sum ESET Detection name
d7085e1d96c34d6d1e3119202ab7edc95fd6f304 Win32/Kryptik.DAPB

CryptoFortress public key

-----END PUBLIC KEY-----


Author , ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.