TorrentLocker is back with campaigns targeting Denmark
TorrentLocker ransomware virus, which is also known as fake Crypt0l0cker, has been disappearing and emerging again since 2015[1]. Since then, it became apparent that this ransomware exceptionally targets Danish-speaking computer users[2]. Creators of the virus showed creativity by employing different distribution tactics every once in a while. In the past, the ransomware authors spoofed the identities of companies such as IKEA, PostNord, or Telia[3] to trick unsuspecting victims into opening malicious links leading to phishing pages that contained obfuscated links to download the ransomware. TorrentLocker was also spread via emails containing malware-laden Word documents with malicious macros[4]. It appears that the attackers changed their tactics once again and now they are distributing the malware via a campaign that once again targets Denmark and delivers malware via email.
According to latest reports, the most recent phishing emails look like regular emails that deliver invoice. However, the message body contains a Dropboxusercontent URL that downloads a .zip archive. The ZIP archive contains a nortonsecured.png image, which is meant to trick the user into thinking that the file is verified and harmless. The archive also contains a JS file, which can be entitled with a random set of digits, for instance, 505741.js. As soon as the victim opens the JavaScript file, the script inside of it activates to address the following domains – http://kolives (.) pl / file / ret.fgh or http://pinusels/ (.) pl / file / ret.fgh and download ransomware from them. The ransomware begins the encryption process right away, and turn files stored on the compromised computer, as well as connected network drives into useless pieces of data. The ransomware communicates with its Command & Control server and transmits data about victim’s computer to it.
Although security researchers demonstrated their skills and released a TorrentUnlocker to rescue files encrypted by earlier Torrent Locker’s versions, it seems that virus’ authors fixed flaws in their code already, therefore the decryption tool is useless in a confrontation with the latest ransomware variants. If you already tried it and it didn’t help you to restore the encrypted data, we must say that the only chance to restore your files is to use a data backup[5], of course, if you ever created one. We only want to warn the victims that the malware has been markedly improved since 2015, and now the virus is capable of swiping login credentials for all services that the victim uses and sharing the virus to other PCs through shared files. You can read more information about TorrentLocker’s capabilities in this article.
- ^ JP Buntinx. Updated TorrentLocker Ransomware Capable of Stealing Login Credentials. Sophos News. Security made simple.
- ^ Gabriela Vatu. New TorrentLocker Ransomware Variant Targets Denmark. Softpedia News. Latest News & Reviews.
- ^ Pierluigi Paganini. Highly targeted ransomware campaign hit Swedish Telia customers. Security Affairs. Views, News and Insights on Topics such as Cyber Crime, Cyber Warfare, and more.
- ^ Cryptolocker variant Torrentlocker making new victims in NL. Fox-IT International Blog. News and Opinions.
- ^ Brian Greenberg. Backup - The panacea for computer viruses and ransomware. HackerNoon. Everything Hackers Read at Noon.