TorrentLocker, crypto-ransomware targeting specific countries, has received improvements making it even harder to track and analyse.
TorrentLocker, analysed by ESET in 2014, that hit Ireland as well, is still active and, thanks to how it chooses its potential victims with targeted spam, avoids the attention more prominent crypto-ransomware receives. However, ESET researchers have continued to keep their eyes on this malware.
“The gang behind TorrentLocker still seems to be in the game. They have been improving their tactics and have been slowly innovating this ransomware while trying to stay under the radar,” says Marc-Etienne M. Léveillé, ESET malware researcher.
TorrentLocker is being distributed via email messages with a page claiming that a “document” (purportedly a bill or a tracking code) should be downloaded. If the malicious “document” is downloaded and opened by the user, TorrentLocker is executed. It starts its communication with the C&C server and encrypts the victim’s files.
A well-known feature of TorrentLocker is how localised the download, ransom and payment pages are. Victims are provided with information in their own languages and in their local currency.
Improvements in TorrentLocker address the mechanisms protecting internet users in selected countries, i.e. the way TorrentLocker contacts its Command-and-Control servers, protection of the C&C server by an additional layer of encryption, obfuscation and the process of encrypting the users’ files.
One of CryptoLocker’s notable improved features is the addition of a script into the chain leading to the final malicious executable file.
“The link in the spam email message now leads to a PHP script hosted on a compromised server. This script checks if the visitor is browsing from the targeted country and, if so, redirects to the page where the next stage of this malware is downloaded. Otherwise, the visitor is redirected to Google,” explains Marc-Etienne M. Léveillé.
In analysing this malware and its campaigns, ESET researchers found that 22 countries received a localized version of the ransom or payment page. However, 7 of them haven’t been hit so far with any major TorrentLocker spam campaign. They are France, Japan, Martinique, Portugal, Republic of Korea, Taiwan and Thailand.
Details and images (free to use) about the improvements in the TorrentLocker crypto-malware can be found in the full analytical article at ESET Ireland’s official blog.