A new TorrentLocker campaign has been detected by Heimdal Security that is geographically focused on Sweden. And like earlier campaigns, this ransomware threat is delivered by email spam – this one spoofing an invoice from the international Telia communications firm headquartered in Stockholm, Sweden. If this campaign follows the traditional TorrentLocker route, the target area will expand to other specific areas in the future.
The email carries a single link to a web page that looks like a Telia landing page. This page contains a poisoned Captcha code, which, if activated, downloads the TorrentLocker ransomware – provided that the target’s IP address is in Sweden. If the address is not in Sweden, the target is simply redirected to Google.
Furthermore, if the target is already infected with TorrentLocker, it will not be downloaded a second time – TorrentLocker could be dormant. Although sleep functions are not new to malware, it seems to be new to TorrentLocker. The primary purpose is probably to be to avoid sandboxing technologies and behavioral analysis techniques.
Luis Corrons, technical director at PandaLabs, told SecurityWeek that years ago he built a test system for unknown files that waited six minutes before rebooting simply to catch this technique – apparently most examples have a very short sleep period.
The Heimdal report notes that VirusTotal, two days after the attack, reported 19 out of 57 anti-virus engines catching the malware. This does not, of course, mean that anti-virus in situ would not detect it (see VirusTotal Policy Change Rocks Anti-Malware Industry for further details).
“A better layer of defence against crypto-ransomware payloads,” said F-Secure’s security advisor Sean Sullivan, “is behavioral technology (aka HIPS).” The static VirusTotal checks cannot monitor behavior, so do not provide an analysis of whether any particular AV will actually stop the ‘tested’ malware. “Because crypto-ransomware is always going to do what it does,” added Sullivan, “you can always use its behavior to judge.”
TorrentLocker’s sleep function seems designed to counteract such behavioral analysis. “The criminals’ counter-action is to keep any malicious behavior dormant beyond the period of behavioral analysis. This may well be doable on the client side as analysis cannot continue forever; but we have tricks to counter this on our back end – and then out go our blocks and detections.”
TorrentLocker attempts to steal data from the victim before it encrypts. It injects itself into the memory of explorer.exe before dropping the main component with an arbitrary filename; and then harvests any available certificates and user contacts. These are sent back to the C&C server to fuel future campaigns.
When the encryption starts, TorrentLocker attempts to encrypt all available data files on the local drive and on any connected drives. When ready, the ransom note offers to ‘sell’ decryption to the victim for 1.15 bitcoins (currently around €440 or a little less than $500). If the ransom isn’t paid within a few days, the decryption cost doubles.
The best defense against any ransomware is threefold: sufficient security awareness to avoid clicking on poisonous links; an up-to-date mainstream anti-virus product; and backup. “Actually, you should have multiple backups,” suggests Heimdal.