ESET researchers analyse a broad family of the malware and its modus operandi
Encrypts files on user’s device, requests ransom to get back access
THE latest variant of the TorrentLocker ransomware has infected at least 40,000 systems in the last few months, primarily targeting European countries, according to the ESET research team from Canada.
According to ESET’s telemetry, first traces of this malware date to February 2014. The malware is constantly developing and its most advanced version has been operating since August 2014, the Bratislava, Slovakia-headquartered company said in a statement.
ESET’s telemetry detects TorrentLocker as Win32/Filecoder.Dl, its name derived from the registry key used by the malware to store configuration information with the fake name of ‘Bit Torrent Application’ in the beginning of the evolution of this filecoder.
This family of ransomware encrypts documents, pictures and other files on a user’s device and requests ransom to get back access to their files.
Its typical signature is paying ransom solely in crypto-currency – up to 4.081 bitcoins (€1,180 or US$1,500).
In the last campaigns, TorrentLocker infected 40,000 systems and encrypted more than 280 million documents in targeted countries mainly from Europe, but also addressing users in Canada, Australia and New Zealand.
Out of these cases, only 570 victims paid the ransom, which has earned the actors behind TorrentLocker the equivalent of US$585,401 in bitcoins, ESET said.
In a white paper, ESET researchers observed and analysed seven different ways of spreading TorrentLocker.
“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking trojan malware,” said ESET Canada researcher Marc-Etienne M. Léveillé.
“Moreover, with TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware and changing the way they use Advanced Encryption Standards (AES) from Counter mode (CTR) to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed.”
This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the key stream, ESET said.
As for how the infection spreads, victims receive spam e-mail with malicious documents and are then led to open the enclosed file – attached are mostly unpaid invoices, tracking of packages or unpaid speeding tickets.
The credibility of the e-mail is increased by mimicking business or government websites in the victim’s location. If the victim is from a different country, it will redirect to the Google Search page.
“To fool the victims, the attackers have even inserted Captcha images to create a false sense of security,” said Léveillé.
More information about the TorrentLocker ransomware is now available on ESET’s security news website WeLiveSecurity.com.
A blog post introducing the research and the malware is available here. A detailed white paper is available here.
Bitcoin-mining malware on the rise in APAC: Trend Micro
Bitcoin botnet ZeroAccess tops threat list: Fortinet
Bitcoin wallet attacks surge, cyber-espionage ops resurrected: Kaspersky
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.