ESET Cracks TorrentLocker Malware That Ransoms Bitcoin

Internet security firm ESET has analyzed a major ransomware known as TorrentLocker that demands bitcoin from its victims.

A ransomware is a malware that restricts access to a computer system and files, and demands a ransom paid to the malware’s creators.

Originally surfacing in early 2014, the latest variant of the malware has infected at least 40-thousand systems in the last few months primarily targeting European countries.

ESET’s security research team has prepared a white paper presenting findings of the team’s investigation and analysis of the malware behavior.

This family of ransomware encrypts documents, pictures and other files on a user’s device and requests ransom to get back access to their files. TorrentLocker’s typical signature is paying ransom solely in crypto-currency, up to 4.081 Bitcoins –  equivalent to around US$1334.

In previous campaigns, TorrentLocker has infected 40-thousand systems and encrypted more than 280 million documents in targeted countries mainly in Europe, but also addressing users in Canada, Australia and New Zealand. Out of these cases only 570 victims paid the ransom, which has earned the actors behind TorrentLocker the amount ofUS$585,401 in Bitcoins.

ESET’s telemetry detects TorrentLocker as Win32/Filecoder.Dl  –  a  name derived from the registry key used by the malware to store configuration information with the fake name of “Bit Torrent Application” in the beginning of the evolution of this filecoder.

In the white paper, ESET researchers have observed and analyzed seven different ways of spreading of the TorrentLocker. According to ESET’s telemetry, first traces of this malware are dated to February 2014. The malware is constantly developing and its most advanced version has been operating since August 2014.

ESET Canada Researcher Marc-Etienne M. Leveille commented:

We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of the banking Trojan malware. Moreover, with TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware and changing the way they use Advanced Encryption Standards (AES) from Counter mode (CTR) to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed.

As Leveille indicates, this suggests that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the key stream.

So how does the infection spread? Victims receive spam e-mail with malicious documents and are then led to open the enclosed file. Attached are mostly unpaid invoices, tracking of packages or unpaid speeding tickets. The credibility of the e-mail is increased by mimicking business or government websites in the victim’s location. If the victim is from a different country, it will redirect to the Google Search page. “To fool the victims, the attackers have even inserted CAPTCHA images to create a false sense of security,” explains Leveille.

More information on the ransomware can be found on ESET’s Blog.