TorrentLocker ransomware takes the advantage of people’s unawareness for random files with .exe extension, contained in spam messages’ attachments.
According to new research, since TorrentLocker, one of the most prevalent pieces of ransomware, first surfaced in February 2014 it managed to claim thousands of victims.
Infosec biz ESET reported that 570 or 1.45 percent, out of 39,670 Windows systems that were infected, in order to get their locked-up files decrypted have actually paid the ransom to criminals. Creators of this ransomware managed to rack up between $292,700 (£187k) and $585,401 (£375k) from these payments.
A random 256-bit AES key is generated by the ransomware in order to encrypt pictures, documents and basically any other files on a PC of a victim before a payment of 4 BTC (around $1,500) is demanded from victims; if money is paid then the data is restored.
A 2048-bit public RSA key is used to encrypt the key itself and then it’s sent to a central server. After that the AES key that sits in the memory is deleted from it. Once the ransom is paid, the picaroon behind the scam decrypt the AES key by making use of their private RSA key and forward it back to the ransom in order to restore the scrambled data.
Supposedly ransomware, which goes by the name of TorrentLocker, managed to encrypt over 280 million files stored on computers mainly in Europe region, but New Zealand, Australia and Canada were also hit.
In order to infect victims, they are sent a spam email containing a booby-trapped attachment – usually covered as a bogus unpaid speeding ticket, package tracking document or unpaid invoice – or a link is followed to a site where a victim downloads the malware. Such web page is usually made to look like a legitimate government or business website, for example as a national postal service that also has a CAPTCHA to appear even more legit.
After the victim opens the attachment which appears to be a ZIP archive containing the executable of the malware or even a Word document that contains Visual Basic macro created in a way so that it downloads and installs the .exe file of TorrentLocker.
Waves of spam that distributes TorrentLocker have been launched at Canada, Australia, Czech Republic, Austria, France, Italy, Netherlands, Ireland, Germany, Turkey, New Zealand, Spain and the United Kingdom. Oddly, the US is not amongst the countries listed above for reasons that are not straight off obvious.
Researchers of ESET speculate that TorrentLocker’s gang is the same one that was also responsible for the malware family called Hesperbot designed to raid online bank accounts.
Marc-Etienne M. Léveillé, researcher at ESET, said that with TorrentLocker the attackers reacted to online reports by overcoming Indicators of Compromise used for malware’s detection, and changed the way AES (Advanced Encryption Standards) is used by them from CTR (Counter mode) to CBC (Cipher block chaining mode) after researchers revealed a method used for extracting the key stream.
TorrentLocker victims, due to the change to AES-CBC, can no longer recover the keystream by exclusive-OR’ing an encrypted file and a backup of plain-text, and in this way recover all of their files that have been encrypted, as explained by ESET’s blog post.
According to the security tools company Tripwire’s director of risk, Tim Erlin, the absence of the US on the target countries’ list is greatly noticeable, as US is a target rich environment. He also named a couple out of many possible reasons why criminals did not target the US including few simple ones like that if US would be targeted we would see a faster development of counteracting the threat, or because that US citizens would produce lower hit rate on paying the ransom, or simply that the US is actually on the list and it will be targeted eventually.
While main way to distribute the TorrentLocker ransomware was malicious attachments inside the spam email, other mechanisms were introduced – such as web browser’s or PDF reader’s vulnerabilities exploiting in order to execute malicious code that installs the malware on to the victims machine.
Erlin added that understanding that these ways of compromise for ransomware are not new or static. A variety of means can be used by the attackers in order to infect a computer system; however spam emails with malicious web links or executable attachments are the most popular because they just work and continue to succeed.
While we still cannot offer strong solution which would prevent you from getting infected by a nasty malware like this (besides the well-known one – do not randomly open files or web links that look suspicious), we still highly recommend the use of a VPN like NordVPN in order to protect your private data. NordVPN offers very strong encryption of your internet traffic and additional features such as double VPN or Tor over VPN, which leaves no chances for any kind of attacker to get a hold of your sensitive information!