Recently S21sec detected a very active ransomware campaign focused in Spain and Italy. The malware of choice this time has been TorrentLocker, and the means to trick the user into install the malware are a series of spam mails with a link to the malware.
Ransomware is a kind of threat that either blocks the desktop or encrypts the information contained in an infected device. In both cases the criminals demand a payment to restore the system, usually for the payout the victim is required to purchase Bitcoins, Ukash tickets or any other non traceable currency.
During the last two years we have seen several threats sharing a similar approach on desktop computers but also they target mobile devices. Some examples are: CryptoLocker, Reventon, Netra, CryptoWall, Decode@india, TorLocker, Urausy…
TorrentLocker affects Microsoft Windows systems it is reminiscent, although only in appearance, of the infamous CryptoLocker. But when the implementations are compared substancial differences arose.
The main resemblance comes from the appropriation of the CrytoLocker name in the ransom note. This may be done to boost the blackmail intimidation effect with the name of a better known threat, also could be an attempt to hide several weakness on the earlier versions.
This ransomware encrypts all files belonging to any the following extensions stored in every mapped drive unit. This means that TorrentLocker will not encrypt the network shared folders unless they are mounted as a local drive, this applies as well to the recovery partitions.
After a successful infection TrorrentLocker tries to establish a TLS session with its C&C server, which in opposition to CryptoLocker that employed a DGA it is hardcoded in the binary, in order to obtain encryption key. If the communication with the C&C panel can not be performed no encryption will be performed at all.
Currently two versions of the malware have been reported, the main change among them lies in the encryption algorithm being used.
The first news of TorrentLocker original version date back to August 2014, when another spam campaign impersonating the National Postal Service hit Australia.
This early version used a rudimental encryption routine that consist in applying a static XOR mask to the first 2 MB of the file (smaller than 2MB files would be fully encrypted). So if the victims had an unencrypted copy of a file bigger than 2 MB it was possible to retrieve the XOR key and restore the files using the following tool.
In our opinion, maybe is due to this weak algorithm that the criminals choose to disguise themselves as CryptoLocker due to the dreadful reputation of the former trojan.
Is during the early December of 2014 when a new variant of the malware outbreaks. The new strain uses the AES (Advanced Encryption Standard), this change make more difficult to retrieve the files.
It is still possible to retrieve the files if just after the infection a file carving tool is used, Due to TorrentLocker does not deletes the files in a secure manner after encryption.
For a more in depth analysis you should consider to read the original work on the malware done by iSHIGHT Partners.
The initial reports about the spam campaign we are analyzing in this post reach us during the first two days of December. It was active until December 5th at 20:09 (GMT+1) when the C&C servers went dark and stop to show any activity.
Through the course of the campaign several mail templates were employed in order to trick the users to download the attached .zip files. We have identified that at least three different templates were used.
- Mail 1
- Mail 2
- Mail 3
The links served .zip files that once unzipped shown the following names:
- Perfil.Pdf _____________________________________________________________.exe
Again a low tech but yet effective approach is taken in order to hide the file extension.
Is easy to spot that over 80% of the affected users are in Spain and Italy with little affectation in other countries. As a side an funny fact we found one affected computer in the Vatican State.
Additionally we have detected TorrentLocker campaigns targeting Turkey and Australia after the conclusion of the Spanish/Italian operation.
Due to its easy monetization and the relatively simple support infrastructure needed we are seeing a rising in the number of infections caused by some variety of ransomware.
In this cases prevention is the best defense for the user cause as we have seen recover the files can be extremely difficult once they have been cyphered. In corporative networks is important to control the access and privilege level of shared resources such network accesible drives in order to confine the damages to just the infected device.