Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TorrentLocker Detected Targeting Computers in Sweden

A new TorrentLocker campaign has been detected by Heimdal Security that is geographically focused on Sweden. And like earlier campaigns, this ransomware threat is delivered by email spam – this one spoofing an invoice from the international Telia communications firm headquartered in Stockholm, Sweden.

A new TorrentLocker campaign has been detected by Heimdal Security that is geographically focused on Sweden. And like earlier campaigns, this ransomware threat is delivered by email spam – this one spoofing an invoice from the international Telia communications firm headquartered in Stockholm, Sweden. If this campaign follows the traditional TorrentLocker route, the target area will expand to other specific areas in the future.

The email carries a single link to a web page that looks like a Telia landing page. This page contains a poisoned Captcha code, which, if activated, downloads the TorrentLocker ransomware – provided that the target’s IP address is in Sweden. If the address is not in Sweden, the target is simply redirected to Google.

Furthermore, if the target is already infected with TorrentLocker, it will not be downloaded a second time – TorrentLocker could be dormant. Although sleep functions are not new to malware, it seems to be new to TorrentLocker. The primary purpose is probably to be to avoid sandboxing technologies and behavioral analysis techniques. 

Luis Corrons, technical director at PandaLabs, told SecurityWeek that years ago he built a test system for unknown files that waited six minutes before rebooting simply to catch this technique – apparently most examples have a very short sleep period.

The Heimdal report notes that VirusTotal, two days after the attack, reported 19 out of 57 anti-virus engines catching the malware. This does not, of course, mean that anti-virus in situ would not detect it (see VirusTotal Policy Change Rocks Anti-Malware Industry for further details).

“A better layer of defence against crypto-ransomware payloads,” said F-Secure’s security advisor Sean Sullivan, “is behavioral technology (aka HIPS).” The static VirusTotal checks cannot monitor behavior, so do not provide an analysis of whether any particular AV will actually stop the ‘tested’ malware. “Because crypto-ransomware is always going to do what it does,” added Sullivan, “you can always use its behavior to judge.” 

TorrentLocker’s sleep function seems designed to counteract such behavioral analysis. “The criminals’ counter-action is to keep any malicious behavior dormant beyond the period of behavioral analysis. This may well be doable on the client side as analysis cannot continue forever; but we have tricks to counter this on our back end – and then out go our blocks and detections.”

TorrentLocker attempts to steal data from the victim before it encrypts. It injects itself into the memory of explorer.exe before dropping the main component with an arbitrary filename; and then harvests any available certificates and user contacts. These are sent back to the C&C server to fuel future campaigns. 

When the encryption starts, TorrentLocker attempts to encrypt all available data files on the local drive and on any connected drives. When ready, the ransom note offers to ‘sell’ decryption to the victim for 1.15 bitcoins (currently around €440 or a little less than $500). If the ransom isn’t paid within a few days, the decryption cost doubles.

The best defense against any ransomware is threefold: sufficient security awareness to avoid clicking on poisonous links; an up-to-date mainstream anti-virus product; and backup. “Actually, you should have multiple backups,” suggests Heimdal.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.