|Encryption Type||2048 bit RSA-AES key|
First this was believed as a family of the torrent locker ransomware, but after going through this ransomware thoroughly it is found that they are different. Some of the major difference in them are as given below.
|Distribution Method||Exploit kits, fake downloads.|
It is said that this ransomware used some of the source code that was used in torrent locker other than that this ransomware is one of its own kind. This uses a RSA-AES key for the encryption; the key is generated on the victim side and so the key is stored on the device that is infected. The malware takes the key and XOR’s it with an embedded key then it appends 8bytes to the key to the end of each file that are encrypted.
One of the major defect in this ransomware is that it is observed that this attempts to make network connections to the C&C server but often this gets failed during the initial stage, this also exhibits a large quantity of malicious SMB traffic too.
One of the fascinating functionality in this is that this enumerates the network shares ,all logical drive not only this but also deletes the shadow volume files that are in the infected device, these are done in order to prevent the easy recovery of the infected or encrypted files.
The working mechanism of this ransomware is as said in the following, once this ransomware infiltrates the victims device it creates a .bat file and starts its functionality by deleting the victims shadow file copies.
The code that is used for deleting the shadow volume file are as given above.
Once this is done it then enumerates the file system for supported data files, once when the data file is found it creates a copy of the file with a different extension as .frtrss appended to the end. Then it will encrypt the data and then restore the file to the original name and extension. After encrypting all specific files then the cryptofortress ransomware will drop a ransom note in the directory , the file will be named as Read if you want your files back.html
One of the interesting things in this is that this drops many readme files in the folders where the files are encrypted. In this text file the victim is given instructions to get back his sensitive files.