Malware requests liters to allow access to user files, by blackmailing unsuspecting victims.
The researchers' team ESET in Canada analyzed a widely spread malware ransomware, known as TorrentLocker, the spread of which began at the beginning of 2014 and aimed unsuspecting victims. The latest version of malware has infected at least 40.000 systems over the last few months, targeting mainly European countries. ESET's research team has prepared an extensive report presenting all research findings and malware behavior analysis as well as a related blog post at WeLiveSecurity.com.
ESET telemetry detects TorrentLocker as Win32 / Filecoder.Dl. Its name comes from the key registery that used the malware to store configuration information under the fake name "Bit Torrent Application" when this filecoder started to evolve.
This ransomware family encrypts documents, images, and other files on the user's device and requires a ransom to allow access to its files. His signature signature is ransom payment exclusively with crypto-currency - up to 4,081 Bitcoin (1.180 euro or 1.500 dollars). In the latest campaigns, TorrentLocker has infected 40.000 systems and has encrypted 280 millions of documents targeting countries in Europe, as well as users in Canada, Australia and New Zealand. Of these cases, only 570 victims paid the ransom, bringing the amount of 585.401 US dollars to Bitcoin to the actors behind TorrentLocker.
The ESET researchers' report has examined and analyzed seven different ways of spreading TorrentLocker. According to ESET's telemetry data, the first traces of this malware date back to February 2014. Malware is constantly evolving, with its most advanced version running since August 2014.
«Πιστεύουμε ότι οι δράστες πίσω από το TorrentLocker είναι οι ίδιο με εκείνους πίσω από την οικογένεια του banking trojan Hesperbot» δήλωσε ο Marc-Etienne M. Léveillé, ερευνητής της ESET από τον Καναδά. «Επιπλέον, με το TorrentLocker, οι δράστες αντιδρούν στις online εκθέσεις ξεπερνώντας τους Δείκτες Παραβίασης που χρησιμοποιούνται για την detection του κακόβουλου λογισμικού και τροποποιώντας τον τρόπο χρήσης των Προτύπων Κρυπτογράφησης AES (Advanced Encryption Standards) από λειτουργία Counter mode (CTR) σε λειτουργία CBC (Cipher block chaining) κατόπιν αποκάλυψης μίας μεθόδου εξtreatmentof the codes". This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the password.
How does the infection spread? The victim receives a spam e-mail with a malicious document and is prompted to open the attached file, usually unpaid invoices, updates on monitoring packets or unpaid calls. The credibility of the e-mail increases as it resembles business or government websites of the victim's location. By opening the spam message, if the victim clicks on the download page link while not in one of the attacked countries, they will be redirected to the Google search page. "To fool victims, the perpetrators have inserted CAPTCHA images creating a false sense of security," explains Léveillé.
More information about TorrentLocker ransomware is available on ESET's website with security news WeLiveSecurity.com. The first data on research and malware is on the blog. The analytical report is here.
