Malware requests liters to allow access to user files, by blackmailing unsuspecting victims.
The researchers' team ESET in Canada analyzed a widespread malware ransomware, known as TorrentLocker, which began spreading in early 2014 and targeted unsuspecting victims. The latest version of malware has infected at least 40.000 systems over the last few months, targeting mainly European countries. ESET's research team has prepared an extensive report presenting all research findings and malware behavior analysis as well as a related blog post at WeLiveSecurity.com.
ESET telemetry detects TorrentLocker as Win32 / Filecoder.Dl. Its name comes from the registry key used by the malware to store configuration information with the fake Bit Torrent Application when this filecoder began to evolve.
This ransomware family encrypts documents, pictures και άλλα αρχεία στη συσκευή του χρήστη και απαιτεί λύτρα για να επιτρέψει την πρόσβαση στα αρχεία του. Η τυπική υπογραφή του είναι η πληρωμή λύτρων αποκλειστικά με crypto-currency – up to 4,081 Bitcoins (1.180 euros or 1.500 dollars). In the latest campaigns, TorrentLocker has infected 40.000 systems and encrypted 280 million documents targeting countries mainly in Europe, but also users in Canada, Australia and New Zealand. Of these cases, only 570 victims paid the ransom, which netted the perpetrators behind TorrentLocker US$585.401 in Bitcoin.
The ESET researchers' report has examined and analyzed seven different ways of spreading TorrentLocker. According to ESET's telemetry data, the first traces of this malware date back to February 2014. Malware is constantly evolving, with its most advanced version running since August 2014.
"We believe that the actors behind TorrentLocker are the same as those behind the banking trojan Hesperbot," said Marc-Etienne M. Léveillé, an ESET researcher from Canada. "In addition, with TorrentLocker, the perpetrators respond to online reports by overcoming the Violation Indicators used to detect malicious software and by modifying the use of Advanced Encryption Standards (AES) from CTR mode to CBC mode Cipher blocking chaining) upon disclosure of a code extraction method. " This means that TorrentLocker victims can no longer retrieve all their documents by combining an encrypted file and its plain text to retrieve the code.
How does the infection spread? The victim receives a spam e-mail with a malicious document and is directed to open the attached file, usually unpaid invoices, package tracking updates or unpaid calls are attached. The credibility of the e-mail is increased as it resembles business or government websites of the victim's location. By opening the spam message, if the victim clicks on the download page link while not in one of the attacked countries, they will be redirected to the Google search page. "To fool victims, the perpetrators have inserted CAPTCHA images creating a false sense of security," explains Léveillé.
More information about TorrentLocker ransomware is available on ESET's website with security news WeLiveSecurity.com. The first data on research and malware is on the blog. The analytical report is here.
