TorrentLocker, one of the most widespread pieces of ransomware, has claimed thousands of victims since it first surfaced in February 2014, according to new research.
Out of 39,670 infected Windows systems, 570 or 1.45 per cent have paid the ransom to criminals to decrypt their locked-up files, according to infosec biz ESET. The crooks behind the scam made between $292,700 (£187k) and $585,401 (£375k) in Bitcoins from these payments.
The ransomware generates a random 256-bit AES key to encrypt documents, pictures and other files on a victim’s PC before demanding up to 4 BTC (about $1,500) from victims; the data is restored if the money is paid.
The encryption key is itself encrypted using a 2048-bit public RSA key and sent to a central server. The AES key is then deleted from memory. If the ransom is paid, the crims running the scam decrypt the AES key using their private RSA key and send it back to the malware to restore the scrambled data.
TorrentLocker, we're told, encrypted 280 million documents stored on computers mainly in Europe, but also in Canada, Australia and New Zealand.
Marks receive spam email to trick them into opening a booby-trapped attachment – it's usually a bogus unpaid invoice, package tracking document or unpaid speeding ticket – or follow a link to a site to download the malware. The download web page is mocked up to look like a legit business or government website, such as a national postal service, with a CAPTCHA to look even more genuine.
Once the attachment is opened, it turns out to be a ZIP archive containing the malware's executable or a Word document with a Visual Basic macro that downloads and installs the TorrentLocker .exe. Ultimately, the victim has to run the program to become infected.
Waves of spam distributing TorrentLocker have been launched at Australia, Austria, Canada, Czech Republic, Italy, Ireland, France, Germany, Netherlands, New Zealand, Spain, Turkey, and the United Kingdom. Curiously, the US is absent from this list for reasons that aren’t immediately obvious.
ESET’s researchers reckon the gang behind TorrentLocker is the same one behind the Hesperbot family of online bank account raiding malware.
“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking trojan malware,” said ESET researcher Marc-Etienne M. Léveillé. “Moreover, with TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware, and changing the way they use Advanced Encryption Standards (AES) from Counter mode (CTR) to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed.”
The change to AES-CBC means TorrentLocker victims can no longer exclusive-OR an encrypted file and a plain-text backup to recover the keystream, and thus recover all their encrypted files, as a blog post by ESET explains:
In September Finnish researchers at Nixu Oy detailed a method by which victims of TorrentLocker could recover the contents of their encrypted files, without handing any money over to the criminals behind the attack.
Predictably, once they realised that it was possible to extract the keystream, the authors of TorrentLocker released a new version which changed their encryption methodology, and shut the door on the loophole immediately.
ESET’s research is explained in a white paper here [PDF].
Tim Erlin, director of security and risk at security tools firm Tripwire, commented: “The absence of the United States on the list of targeted countries is notable, as it’s a target rich environment. It might be that targeting the US results in faster development of countermeasures, or simply that the hit rate on victims actually paying the ransom is lower, or that the US is further down the list and would have been targeted eventually."
Although spam email with malicious attachments has been the main mechanism to deploy TorrentLocker, other means may be brought into play – such as exploiting vulnerabilities in web browsers or PDF readers to execute malicious code to install the software nasty.
“It’s important to understand that the initial point of compromise for ransomware isn’t static or new. Attackers can use a variety of means to ultimately infect a computer system. Spam with malicious links or executables are popular because they continue to succeed,” Erlin added. ®