Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TorrentLocker Detected Targeting Computers in Sweden

A new TorrentLocker campaign has been detected by Heimdal Security that is geographically focused on Sweden. And like earlier campaigns, this ransomware threat is delivered by email spam – this one spoofing an invoice from the international Telia communications firm headquartered in Stockholm, Sweden.

A new TorrentLocker campaign has been detected by Heimdal Security that is geographically focused on Sweden. And like earlier campaigns, this ransomware threat is delivered by email spam – this one spoofing an invoice from the international Telia communications firm headquartered in Stockholm, Sweden. If this campaign follows the traditional TorrentLocker route, the target area will expand to other specific areas in the future.

The email carries a single link to a web page that looks like a Telia landing page. This page contains a poisoned Captcha code, which, if activated, downloads the TorrentLocker ransomware – provided that the target’s IP address is in Sweden. If the address is not in Sweden, the target is simply redirected to Google.

Furthermore, if the target is already infected with TorrentLocker, it will not be downloaded a second time – TorrentLocker could be dormant. Although sleep functions are not new to malware, it seems to be new to TorrentLocker. The primary purpose is probably to be to avoid sandboxing technologies and behavioral analysis techniques. 

Luis Corrons, technical director at PandaLabs, told SecurityWeek that years ago he built a test system for unknown files that waited six minutes before rebooting simply to catch this technique – apparently most examples have a very short sleep period.

The Heimdal report notes that VirusTotal, two days after the attack, reported 19 out of 57 anti-virus engines catching the malware. This does not, of course, mean that anti-virus in situ would not detect it (see VirusTotal Policy Change Rocks Anti-Malware Industry for further details).

“A better layer of defence against crypto-ransomware payloads,” said F-Secure’s security advisor Sean Sullivan, “is behavioral technology (aka HIPS).” The static VirusTotal checks cannot monitor behavior, so do not provide an analysis of whether any particular AV will actually stop the ‘tested’ malware. “Because crypto-ransomware is always going to do what it does,” added Sullivan, “you can always use its behavior to judge.” 

TorrentLocker’s sleep function seems designed to counteract such behavioral analysis. “The criminals’ counter-action is to keep any malicious behavior dormant beyond the period of behavioral analysis. This may well be doable on the client side as analysis cannot continue forever; but we have tricks to counter this on our back end – and then out go our blocks and detections.”

TorrentLocker attempts to steal data from the victim before it encrypts. It injects itself into the memory of explorer.exe before dropping the main component with an arbitrary filename; and then harvests any available certificates and user contacts. These are sent back to the C&C server to fuel future campaigns. 

Advertisement. Scroll to continue reading.

When the encryption starts, TorrentLocker attempts to encrypt all available data files on the local drive and on any connected drives. When ready, the ransom note offers to ‘sell’ decryption to the victim for 1.15 bitcoins (currently around €440 or a little less than $500). If the ransom isn’t paid within a few days, the decryption cost doubles.

The best defense against any ransomware is threefold: sufficient security awareness to avoid clicking on poisonous links; an up-to-date mainstream anti-virus product; and backup. “Actually, you should have multiple backups,” suggests Heimdal.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.