A team of Finnish researchers has discovered that the files encrypted by TorrentLocker ransomware can be decrypted without paying the ransom – if the user has at least one of the encrypted files backed up somewhere, and that file is over 2MB in size.
Security experts from iSIGHT Partners have also said that, despite the crooks claiming that the malware uses RSA-2048 encryption, it in fact uses the Rijndael algorithm.
Researchers Taneli Kaivola, Patrik Nisén and Antti Nuopponen, who work for information security consultancy Nixu, have analyzed a TorrentLocker variant and have more information to share. Crediting Trend Micro reseachers with the discovery that the TorrentLocker “encrypted files by combining a keystream to the file with exclusive or (XOR) operation,” they also unearthed that the malware does contain AES code, and SHA256 and SHA512 hash algorithms.
