Malware requests liters to allow access to user files, by blackmailing unsuspecting victims.
The researchers' team ESET in Canada analyzed a widely spread malware ransomware, known as TorrentLocker, the spread of which began at the beginning of 2014 and aimed unsuspecting victims. The latest version of malware has infected at least 40.000 systems over the last few months, targeting mainly European countries. ESET's research team has prepared an extensive report presenting all research findings and malware behavior analysis as well as a related blog post at WeLiveSecurity.com.
Η telemetry της ESET ανιχνεύει το TorrentLocker ως Win32 / Filecoder.Dl. Its name comes from the registry key used by the malware to store configuration information with the fake Bit Torrent Application when this filecoder began to evolve.
This ransomware family encrypts documents, images, and other files in device of the user and demands a ransom to allow access to their files. Its typical signature is paying ransoms exclusively in crypto-currency – up to 4,081 Bitcoins (€1.180 or $1.500). In the latest campaigns, TorrentLocker has infected 40.000 systems and encrypted 280 million documents targeting countries mainly in Europe, but also users in Canada, Australia and New Zealand. Of these cases, only 570 victims paid the ransom, which netted the perpetrators behind TorrentLocker a total of US$585.401 in Bitcoin.
The ESET researchers' report has examined and analyzed seven different ways of spreading TorrentLocker. According to ESET's telemetry data, the first traces of this malware date back to February 2014. Malware is constantly evolving, with its most advanced version running since August 2014.
“We believe the perpetrators behind TorrentLocker are the same as those behind his family banking trojan Hesperbot» δήλωσε ο Marc-Etienne M. Léveillé, ερευνητής της ESET από τον Καναδά. «Επιπλέον, με το TorrentLocker, οι δράστες αντιδρούν στις online εκθέσεις ξεπερνώντας τους Δείκτες Παραβίασης που χρησιμοποιούνται για την ανίχνευση του κακόβουλου λογισμικού και τροποποιώντας τον τρόπο χρήσης των Προτύπων Κρυπτογράφησης AES (Advanced Encryption Standards) από λειτουργία Counter mode (CTR) σε λειτουργία CBC (Cipher block chaining) κατόπιν αποκάλυψης μίας μεθόδου εξtreatmentof the codes". This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the password.
How does the infection spread? The victim receives a spam e-mail with a malicious document and is driven to open the attached file, usually unapproved invoices, packet tracking updates or unpaid calls. The reliability of e-mail increases as it resembles business sites or the state of the victim's place. By opening the spam message, if the victim clicks the link that leads to the download page while not in one of the attacked countries, it will be redirected to the Google search page. "To deceive the victims, the perpetrators have introduced CAPTCHA images creating a false sense of security," explains Léveillé.
More information about TorrentLocker ransomware is available on ESET's website with security news WeLiveSecurity.com. The first data on research and malware is on the blog. The analytical report is here.
