ESET® research team from Canada has analyzed a widespread case of ransomware generally known as TorrentLocker, which started spreading in early 2014. The latest variant of the malware has infected at least 40-thousand systems in the last few months targeting primary European countries. ESET’s security research team prepared extensive white paper, presenting all the findings of the investigation and analysis of the malware behavior together with blog post are now available on WeLiveSecurity.com.
ESET’s telemetry detects TorrentLocker as Win32/Filecoder.Dl, its name was derived from the registry key used by the malware to store configuration information with the fake name of “Bit Torrent Application” in the beginning of the evolution of this filecoder.
Family of this ransomware encrypts documents, pictures and other files on user’s device and requests ransom to get back access to their files. Its typical signature is paying ransom solely in crypto-currency – up to 4.081 Bitcoins (1180€ or $1500). In the last campaigns, TorrentLocker has infected 40-thousand systems and encrypted more than 280 million documents in targeted countries mainly from Europe, but addressing also users in Canada, Australia and New Zealand. Out of all these cases only 570 victims paid the ransom, which has earned the actors behind TorrentLocker the amount of US$585,401 in Bitcoins.
In the white paper ESET researchers have observed and analyzed seven different ways of spreading of the TorrentLocker. According to ESET’s telemetry, first traces of this malware are dated to February 2014. The malware is constantly developing, its most advanced version operating since August 2014.
“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking trojan malware,” said ESET researcher from Canada, Marc-Etienne M. Léveillé. “Moreover, with TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware and changing the way they use Advanced Encryption Standards (AES) from Counter mode (CTR) to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed.”
This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the key stream.
How does the infection spread? Victim receive spam e-mail with malicious document and is then led to open the enclosed file – attached are mostly unpaid invoices, tracking of a packages or unpaid speeding tickets. Credibility of the e-mail is increased by mimicking business or government websites in the victim’s location. When reading the spam message, if the victims click on the link to the download page and it is not from one of the targeted countries, they will be redirected to the Google Search page.
“To fool the victims, the attackers have even inserted CAPTCHA images to create false sense of security,” explains Léveillé.
More information about the TorrentLocker ransomware is now available on ESET’s security news website WeLiveSecurity.com.Blog introducing the research and the malware is available here: http://www.welivesecurity.com/2014/12/16/torrentlocker-racketeering-ransomware-disassembled-by-eset-experts/.The detailed white paper is available here: http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
Since 1987, ESET® has been developing record award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.