Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TorrentLocker Campaign Moves to Target Spain

When Heimdal Security reported on a new TorrentLocker ransomware campaign in Sweden just over a week ago, it noted that the attackers would likely soon move on to one or more other geographical areas. Now McAfee has seen a new campaign in Spain.

When Heimdal Security reported on a new TorrentLocker ransomware campaign in Sweden just over a week ago, it noted that the attackers would likely soon move on to one or more other geographical areas. Now McAfee has seen a new campaign in Spain.

“Recently,” writes McAfee in a recent blog post, “we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.”

This is precisely the method used in last week’s Sweden campaign: use of a large national ‘utility’ company (Telia in Sweden, Endesa in Spain) to provide credibility and a reasonable chance of relevance to the spam. In each case the spam email is in the local language. 

In the Swedish example, the TorrentLocker ransom note was also displayed to the victim in Swedish. In the McAfee example, however, it is displayed in German. Since McAfee notes that its investigations had shown that no victim had yet paid a bitcoin ransom, it is likely that this is the beginning of the campaign. It is possible that this particular sample is an early proof of concept mail – or that McAfee made a mistake. 

The date on the McAfee screenshot predates the Swedish sample found by Heimdal Security. The ransom figure is also less than that in Sweden: €299 doubling to €598 if not paid immediately, compared to €440 doubling to €880 in Sweden.

SecurityWeek asked Spanish security firm Panda if it had also noted a TorrentLocker campaign in Spain. “Yes,” replied Luis Corrons, technical director at PandaLabs; “it’s pretty widespread. Thousands of our users have received that email, although none have been infected.” We also asked Corrons to have a look at the ransomware itself, and he confirmed that the ransom note is now delivered in Spanish.

“These new TorrentLocker campaigns clearly prove how business-savvy cyber criminals have gotten,” Morten Kjaersgaard, Heimdal Security CEO told SecurityWeek. They understand who their potential victims trust (Telia in Sweden, Endesa in Spain), and they know how to create credible spam campaigns to lure the victims to click and get infected. “Nor do they shy away from investing resources in localization,” he added. “Attackers seem to be moving from spray and pray campaigns to targeted attacks which yield a much higher return on investment.”

Kjaersgaard thinks the TorrentLocker blueprint may become a common approach in the years to come. “Ransomware campaigns have a very clear goal: to make the malicious hackers as much money as possible. If they have to invest some of that money into translations, a bit of graphic design and infrastructure, they’re ready to do it. It’s pocket change for them, anyway. 

Advertisement. Scroll to continue reading.

Moreover,” he added, “smaller campaigns mean that they can move faster and keep below the radar in terms of detection by traditional security solutions and law enforcement organizations. It won’t be long until this method is copied by other malware creators.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.