May 5, 2017
The cyber criminals behind TorrentLocker have been busy baking another mix of social engineering and encrypting ransomware, a recipe that can spell disaster for careless Internet users.
The Danes have been a favorite target for Torrentlocker for the past two years. The attack tactics have ranged from spoofing well-known and trusted brands to relying on the old-fashioned tactic of malicious macros, which, antiquated as it may seem, still works).
The latest deceptive campaign carrying Torrentlocker ransomware is specifically targeted at Denmark and involves a malicious piece of code sent via email.
Attack and detection rates
From the subject line, the email seems innocuous, like just any other email about an invoice that needs to be paid. But the attentive users will be wary of clicking on the link included in the suspicious email.
From: [Forged sender email address]
Subject line: Payment information
The content of the e-mail link to Dropbox (sanitized for your protection):
https://dl.dropboxusercontent/ [.] com / s / cwoged2mtm3o3hy / 505741.zip? dl = 0
(VirusTotal detection rate: 1/64)
If a careless user clicks on the link, it’ll prompt the download of a .zip archive that includes the following files:
Filename: 505741.js (VirusTotal detection rate: 5/56)
The “nortonsecured.png” file is yet another attempt at psychological manipulation that aims to confuse the user and reassure the potential victim that the files have been scanned with Norton antivirus and, as a consequence, are safe to open.
If the recipient goes on to open the .js file, Torrentlocker will be automatically downloaded from the following URLs (sanitized for your protection):
http://kolives [.] pl / file / ret.fgh (VirusTotal detection rate: 2/64)
http://pinusels/ [.] pl / file / ret.fgh (VirusTotal detection rate: 5/64)
But Torrentlocker doesn’t stop at encrypting the data the victim has on the computer he/she is using. It also goes on to infect connected networked drives. At the same time, it will harvest data about your computer and data from your PC and send it to other Command & Control servers that cybercriminals use. One of the newest C&Cs is:
As you’ve seen, detection rates for this infection are quite low, which is one more reason to be extra careful when opening emails and clicking on links. All Heimdal users are protected from this ongoing attack.
Since Torrentlocker has a longstanding history of targeting leading European countries, we can expect this attack to spread as the one in March did.
If you do get infected with Torrentlocker ransomware, this thread on BleepingComputer is very helpful and also includes some tips on rolling back to previous versions of your clean data.
However, in the unfortunate event when you don’t have any kind of backup for your files, you can try using the TorrentUnlocker tool from the same forum. We do recommend you read the instructions and ask for help so that you won’t damage your data for good.
If you’re looking for decryption tools for other types of ransomware, we have a huge and up to date list packed with them.
Of course, one of the best things you can do to keep a ransomware infection from happening is to attentively check the emails you receive for suspicious content:
Strange sender’s email addresses
Links included in the email (scanning them through VirusTotal is always a good idea, but keep in mind that some may be new infections that no one can recognize as malicious)
Any attachments that seem strange or are unsolicited.