The researchers' team ESET in Canada analyzed a widely spread malware ransomware, known as TorrentLocker, the spread of which began at the beginning of 2014 and aimed unsuspecting victims. The latest version of malware has infected at least 40.000 systems over the last few months, targeting mainly European countries. ESET's research team has prepared an extensive report presenting all research findings and malware behavior analysis as well as a related blog post at WeLiveSecurity.com.
ESET telemetry detects TorrentLocker as Win32 / Filecoder.Dl. Its name comes from the registry key used by the malware to store configuration information with the fake Bit Torrent Application when this filecoder began to evolve.
This ransomware family encrypts documents, images, and other files on the user's device and requires a ransom to allow access to its files. His signature signature is ransom payment exclusively with crypto-currency - up to 4,081 Bitcoin (1.180 euro or 1.500 dollars). In the latest campaigns, TorrentLocker has infected 40.000 systems and has encrypted 280 millions of documents targeting countries in Europe, as well as users in Canada, Australia and New Zealand. Of these cases, only 570 victims paid the ransom, bringing the amount of 585.401 US dollars to Bitcoin to the actors behind TorrentLocker.
The ESET researchers' report has examined and analyzed seven different ways of spreading TorrentLocker. According to ESET's telemetry data, the first traces of this malware date back to February 2014. Malware is constantly evolving, with its most advanced version running since August 2014.
"We believe that the actors behind TorrentLocker are the same as those behind the banking trojan Hesperbot," said Marc-Etienne M. Léveillé, an ESET researcher from Canada. "In addition, with TorrentLocker, the perpetrators respond to online reports by overcoming the Violation Indicators used to detect malicious software and by modifying the use of Advanced Encryption Standards (AES) from CTR mode to CBC mode Cipher blocking chaining) upon disclosure of a code extraction method. " This means that TorrentLocker victims can no longer retrieve all their documents by combining an encrypted file and its plain text to retrieve the code.
How does the infection spread? The victim receives a spam e-mail with a malicious document and is driven to open the attached file, usually unapproved invoices, packet tracking updates or unpaid calls. The reliability of e-mail increases as it resembles business sites or the state of the victim's place. By opening the spam message, if the victim clicks the link that leads to the download page while not in one of the attacked countries, it will be redirected to the Google search page. "To deceive the victims, the perpetrators have introduced CAPTCHA images creating a false sense of security," explains Léveillé.
More information about TorrentLocker ransomware is available on ESET's website with security news WeLiveSecurity.com. The first data on research and malware is on the blog. The analytical report is here.