ESET researchers have analyzed a broad family of this malware and its modus operandi
The ESET® research team from Canada has analyzed a widespread case of ransomware generally known as TorrentLocker, which started spreading in early 2014. The latest variant of the malware has infected at least 40,000 systems in the last few months, primarily targeting European countries. ESET’s security research team has prepared an extensive white paper, detailing the investigation and analysis of the malware behavior, and a blog post, which are available on WeLiveSecurity.com.
This ransomware encrypts documents, pictures and other files on users’ devices and requests a ransom to restore access to their files. Its typical signature is demanding payment solely in crypto-currency—up to 4.081 Bitcoins ($1,500). In addition to infecting 40,000 systems and encrypting more than 280 million documents in Europe, TorrentLocker has also targeted users in Canada, Australia and New Zealand.
Only 570 victims paid the ransom, which has earned the TorrentLocker creators approximately $585,401 in Bitcoins.
ESET’s telemetry detected TorrentLocker as Win32/Filecoder.Dl,k a name derived from the registry key used by the malware to store configuration information with the fake name of “Bit Torrent Application” in the beginning of the evolution of this filecoder.
In the white paper, ESET researchers describe and analyze seven different ways of spreading TorrentLocker. According to ESET’s telemetry, the first traces of this malware date to February 2014. The malware is constantly developing, with its most advanced version operating since August 2014.
“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking trojan malware,” said Marc-Etienne M. Léveillé, a member of the ESET research team in Canada. “Moreover, with TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware and changing the way they use Advanced Encryption Standards (AES) from Counter mode (CTR) to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed.”
This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the key stream. The infection is spread through spam emails. Victims receive the email and are led to open the attached malicious files—usually claiming to be unpaid invoices, tracking documents for packages, or unpaid speeding tickets. The email’s credibility is increased by mimicking business or government websites in the victim’s location. If the victim who clicks on the link to the download page is not from one of the targeted countries, he or she will be redirected to the Google search page. “To fool the victims, the attackers have even inserted CAPTCHA images to create a false sense of security,” explains Léveillé.
More information about the TorrentLocker ransomware is now available on ESET’s security news website,WeLiveSecurity.com.
Blog entry regarding the the research and the malware: http://www.welivesecurity.com/2014/12/16/torrentlocker-racketeering-ransomware-disassembled-by-eset-experts/.
White paper: http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
About ESET
Since 1987, ESET® has been developing award-winning security software that now helps more than 100 million users Enjoy Safer Technology™. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.