Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TorrentLocker Campaign Moves to Target Spain

When Heimdal Security reported on a new TorrentLocker ransomware campaign in Sweden just over a week ago, it noted that the attackers would likely soon move on to one or more other geographical areas. Now McAfee has seen a new campaign in Spain.

When Heimdal Security reported on a new TorrentLocker ransomware campaign in Sweden just over a week ago, it noted that the attackers would likely soon move on to one or more other geographical areas. Now McAfee has seen a new campaign in Spain.

“Recently,” writes McAfee in a recent blog post, “we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.”

This is precisely the method used in last week’s Sweden campaign: use of a large national ‘utility’ company (Telia in Sweden, Endesa in Spain) to provide credibility and a reasonable chance of relevance to the spam. In each case the spam email is in the local language. 

In the Swedish example, the TorrentLocker ransom note was also displayed to the victim in Swedish. In the McAfee example, however, it is displayed in German. Since McAfee notes that its investigations had shown that no victim had yet paid a bitcoin ransom, it is likely that this is the beginning of the campaign. It is possible that this particular sample is an early proof of concept mail – or that McAfee made a mistake. 

The date on the McAfee screenshot predates the Swedish sample found by Heimdal Security. The ransom figure is also less than that in Sweden: €299 doubling to €598 if not paid immediately, compared to €440 doubling to €880 in Sweden.

SecurityWeek asked Spanish security firm Panda if it had also noted a TorrentLocker campaign in Spain. “Yes,” replied Luis Corrons, technical director at PandaLabs; “it’s pretty widespread. Thousands of our users have received that email, although none have been infected.” We also asked Corrons to have a look at the ransomware itself, and he confirmed that the ransom note is now delivered in Spanish.

“These new TorrentLocker campaigns clearly prove how business-savvy cyber criminals have gotten,” Morten Kjaersgaard, Heimdal Security CEO told SecurityWeek. They understand who their potential victims trust (Telia in Sweden, Endesa in Spain), and they know how to create credible spam campaigns to lure the victims to click and get infected. “Nor do they shy away from investing resources in localization,” he added. “Attackers seem to be moving from spray and pray campaigns to targeted attacks which yield a much higher return on investment.”

Kjaersgaard thinks the TorrentLocker blueprint may become a common approach in the years to come. “Ransomware campaigns have a very clear goal: to make the malicious hackers as much money as possible. If they have to invest some of that money into translations, a bit of graphic design and infrastructure, they’re ready to do it. It’s pocket change for them, anyway. 

Advertisement. Scroll to continue reading.

Moreover,” he added, “smaller campaigns mean that they can move faster and keep below the radar in terms of detection by traditional security solutions and law enforcement organizations. It won’t be long until this method is copied by other malware creators.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.