TorrentLocker ransomware campaign hit Spain and Italy

Experts at S21sec firm recently detected a new ransomware campaign based on TorrentLocker that infected users prevalently in Italy and Spain.

The last report published by Trend Micro revealed that ransomware represents a serious cyber threat in the EMEA region, where countries like Italy and Spain observed over 80% of the affected users.

Recently S21sec detected a new ransomware campaign based on TorrentLocker malware that appears very active in Italy and Spain.

The malware is spread through spam emails containing a link to the malware.

The spam campaign was observed in the first couple days of December, it was active until December 5th when the C&C servers went dark and stop any activity.

” Is easy to spot that over 80% of the affected users are in Spain and Italy with little affectation in other countries. As a side an funny fact we found one affected computer in the Vatican State.  Additionally we have detected TorrentLocker campaigns targeting Turkey and Australia after the conclusion of the Spanish/Italian operation.” reads a blog post from S21sec.

Currently. the experts have detected two strain of TorrentLocker malware that differ for the encryption algorithm being used. As explained by experts, in order to unlock the resources, the malware authors demand a payment with a virtual currency like Bitcoin or Ukash tickets, to make difficult to trace the transactions.

TorrentLocker is able to infect Microsoft Windows systems, it encrypts all files on the infected machine stored in every mapped drive unit, but it not encrypts data on network shared folders if they are not mounted as a local drive, similar behavior is for the recovery partitions.

Once infected the system, TorrentLocker tries to contact the C&C server to receive the encryption key to perform its activities.

“After a successful infection TrorrentLocker tries to establish a TLS session with its C&C server, which in opposition to CryptoLocker that employed a DGA it is hardcoded in the binary, in order to obtain encryption key. If the communication with the C&C panel can not be performed no encryption will be performed at all.” states the blog post.

The early versions of TorrentLocker was using a rudimental encryption routine that consist in applying a static XOR mask to the first 2 MB of the file, but earlier December 2014 appeared a new variant that was using the AES (Advanced Encryption Standard) to encrypt the files.

The experts explained that is still possible to retrieve files just after TorrentLocker infection in some cases.

“It is still possible to retrieve the files if just after the infection a file carving tool is used, Due to TorrentLocker does not deletes the files in a secure manner after encryption.” explains the post.

Further details on TorrentLocker are available in the interesting analysis conducted by experts at iSHIGHT Partners.

Pierluigi Paganini

(Security Affairs –  TorrentLocker , Ransomware)