Highly targeted ransomware campaign hit Swedish Telia customers

Pierluigi Paganini May 30, 2016

According to a new analysis published by experts at Heimdal Security a new Ransomware campaign targeted millions by spoofing Telco giant Telia.

Ransomware continues to represent one of the most insidious and aggressive cyber threats, a new campaign launched by threat actors in the wild is impersonating the telecom giant Telia.

According to the experts at the Heimdal Security firm, millions of Telia’s customers are exposed to the risk of infection. Hackers have launched a sophisticated and surgical campaign that leverages on a mix of attack vectors.

Most of the victims are located in Sweden, in a first stage of the attack the threat actors send victims message including a link to an invoice which appears to come from Telia.

When the victims open the malicious message and click the link, they are redirected to a web page that displays them a Captcha code.

Telia campaign ransomware crypt0L0cker-redirect

Only when the victims provide the code, a TorrentLocker payload is served to the victim’s machine. The malware is downloaded only if the victims’IP addresses are from Sweden, users from other countries are redirected to the Google page.

“The Torrentlocker family is well known for its highly targeted spam email campaigns,” said Heimdal Security researcher Andra Zaharia, in an analysis. “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.” explained Andra Zaharia, Heimdal Security researcher, in a detailed analysis of the Telia campaign.

The TorrentLocker encrypts all the data files available on the local drive and on connected network drives, then displays a ransom note to instruct victims on the payment procedure.

When the ransomware infects the machines they connect to the C&C server in order to send back data including digital certificates from the infected device.

“It will then register the infected computer and the data harvested from it, which includes certificates from the infected device. A new thing about this attack is that the ransomware will inject itself into the memory of the “explorer.exe” process (child process). It will then drop the main component with an arbitrary filename. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.” reads the analysis published by Heimdal Security.

The crooks request the payment of 1.15 Bitcoins (roughly 4099 SEK (441 EUR)), if the victims don’t pay within a deadline, the ransom value will double.

At the time I was writing the campaign is detection only by 19 of 57 antivirus solutions according to VirusTotal.

As usual, let me suggest to keep your software up to date and maintain a fresh backup of your data.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.


Thank you


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Telia ransomware campaign, malware)

you might also like

leave a comment