TorrentLocker is back with campaigns targeting Denmark

TorrentLocker ransomware virus, which is also known as fake Crypt0l0cker, has been disappearing and emerging again since 2015[1]. Since then, it became apparent that this ransomware exceptionally targets Danish-speaking computer users[2]. Creators of the virus showed creativity by employing different distribution tactics every once in a while. In the past, the ransomware authors spoofed the identities of companies such as IKEA, PostNord, or Telia[3] to trick unsuspecting victims into opening malicious links leading to phishing pages that contained obfuscated links to download the ransomware. TorrentLocker was also spread via emails containing malware-laden Word documents with malicious macros[4]. It appears that the attackers changed their tactics once again and now they are distributing the malware via a campaign that once again targets Denmark and delivers malware via email.

TorrentLocker is back with campaigns targeting Danes

According to latest reports, the most recent phishing emails look like regular emails that deliver invoice. However, the message body contains a Dropboxusercontent URL that downloads a .zip archive. The ZIP archive contains a nortonsecured.png image, which is meant to trick the user into thinking that the file is verified and harmless. The archive also contains a JS file, which can be entitled with a random set of digits, for instance, 505741.js. As soon as the victim opens the JavaScript file, the script inside of it activates to address the following domains – http://kolives (.) pl / file / ret.fgh or http://pinusels/ (.) pl / file / ret.fgh and download ransomware from them. The ransomware begins the encryption process right away, and turn files stored on the compromised computer, as well as connected network drives into useless pieces of data. The ransomware communicates with its Command & Control server and transmits data about victim’s computer to it.

Although security researchers demonstrated their skills and released a TorrentUnlocker to rescue files encrypted by earlier Torrent Locker’s versions, it seems that virus’ authors fixed flaws in their code already, therefore the decryption tool is useless in a confrontation with the latest ransomware variants. If you already tried it and it didn’t help you to restore the encrypted data, we must say that the only chance to restore your files is to use a data backup[5], of course, if you ever created one. We only want to warn the victims that the malware has been markedly improved since 2015, and now the virus is capable of swiping login credentials for all services that the victim uses and sharing the virus to other PCs through shared files. You can read more information about TorrentLocker’s capabilities in this article.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions