We recently observed a new ransomware variant, TorrentLocker, that was targeted at nearly 4,000 organizations and enterprises, many of which are located in Italy. TorrentLocker is similar to an earlier ransomware family (CryptoLocker), and also encrypts various files and forces users to pay a sum of money. TorrentLocker uses the TOR anonymity network to hide its network traffic, which may have been the origin of its name.
The said threat used spam email written in Italian with several templates as part of its social engineering tactics. Translated into English, these messages read:
- Your question has been asked on the forum {day}/{month}/{year} {time}. Detailed answer refer to the following address: {malicious link}
- He sent a bill that would have paid before {day}/{month}/{year}. Details found: {malicious link}
- Your request has been initiated to revise the payment {malicious link}
Figure 1. Sample spam email
All the messages contain a link that points to .ZIP file. Decompressing the archive file yields a file disguise as .PDF document. PDF files are commonly passed around within organizations, and as such, employees who received this spammed message may be trick into thinking that it is legitimate.
Figure 2. Screenshot of the linked archive file
Some of the archive files have filenames such as Versamento.zip, Transazione.zip, Compenso.zip, or Saldo.zip. These file names translate to payment, transaction, compensation, and balance, respectively. However, instead of a PDF file, these files are actually a CryptoLocker variant detected by Trend Micro as TROJ_CRILOCK.YNG.
Similar to other Cryptolocker variants, it encrypts a wide variety of file types including .DOTX, .DOCX,.DOC, .TXT, .PPT, .PPTX, and .XLSX, among others. All of these file types are associated with Microsoft Office products and are commonly used in enterprises in daily operations.
In order to receive the decryptor tool to supposedly retrieve crucial files of users, they need to pay the ransom in Bitcoins. One of the samples we found asked for a ransom of 1.375 BTC, which is worth around $500, a type of digital currency.
Figures 3 and 4. Screenshots of ransomware (Click to enlarge)
Italian users are the most affected by this particular spam run, as just over half of all spam messages identified with this spam run were sent to users in Italy. A quarter came from Brazil, with other countries accounting for the remainder. At its peak, several thousand users were affected per day.
Figure 5. Distribution of TorrentLocker targets globally
Figure 6. Number of affected targets per day
We protect our users against this threat by blocking the different facets of this threat. In addition to blocking the various spam messages, we also block the malicious URLs and detect the malicious files used in this attack.
The hashes of the file seen in this attack include:
- 050b21190591004cbee3a06019dcb34e766afe47
- 078838cb99e31913e661657241feeea9c20b965a
- 6b8ba758c4075e766d2cd928ffb92b2223c644d7
- 9a24a0c7079c569b5740152205f87ad2213a67ed
- c58fe7477c0a639e64bcf1a49df79dee58961a34
- de3c25f2b3577cc192cb33454616d22718d501dc
Additional information provided by Grant Chen