TorrentLocker Campaign Moves to Target Spain

When Heimdal Security reported on a new TorrentLocker ransomware campaign in Sweden just over a week ago, it noted that the attackers would likely soon move on to one or more other geographical areas. Now McAfee has seen a new campaign in Spain.

“Recently,” writes McAfee in a recent blog post, “we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.”

This is precisely the method used in last week’s Sweden campaign: use of a large national ‘utility’ company (Telia in Sweden, Endesa in Spain) to provide credibility and a reasonable chance of relevance to the spam. In each case the spam email is in the local language. 

In the Swedish example, the TorrentLocker ransom note was also displayed to the victim in Swedish. In the McAfee example, however, it is displayed in German. Since McAfee notes that its investigations had shown that no victim had yet paid a bitcoin ransom, it is likely that this is the beginning of the campaign. It is possible that this particular sample is an early proof of concept mail – or that McAfee made a mistake. 

The date on the McAfee screenshot predates the Swedish sample found by Heimdal Security. The ransom figure is also less than that in Sweden: €299 doubling to €598 if not paid immediately, compared to €440 doubling to €880 in Sweden.

SecurityWeek asked Spanish security firm Panda if it had also noted a TorrentLocker campaign in Spain. “Yes,” replied Luis Corrons, technical director at PandaLabs; “it’s pretty widespread. Thousands of our users have received that email, although none have been infected.” We also asked Corrons to have a look at the ransomware itself, and he confirmed that the ransom note is now delivered in Spanish.

“These new TorrentLocker campaigns clearly prove how business-savvy cyber criminals have gotten,” Morten Kjaersgaard, Heimdal Security CEO told SecurityWeek. They understand who their potential victims trust (Telia in Sweden, Endesa in Spain), and they know how to create credible spam campaigns to lure the victims to click and get infected. “Nor do they shy away from investing resources in localization,” he added. “Attackers seem to be moving from spray and pray campaigns to targeted attacks which yield a much higher return on investment.”

Kjaersgaard thinks the TorrentLocker blueprint may become a common approach in the years to come. “Ransomware campaigns have a very clear goal: to make the malicious hackers as much money as possible. If they have to invest some of that money into translations, a bit of graphic design and infrastructure, they’re ready to do it. It’s pocket change for them, anyway. 

Moreover,” he added, “smaller campaigns mean that they can move faster and keep below the radar in terms of detection by traditional security solutions and law enforcement organizations. It won’t be long until this method is copied by other malware creators.”