Ransomware has proven to be such a successful money-making model, that a new variant is discovered or a new delivery campaign is spotted nearly every day.
The researchers believe that TorrentLocker is currently targeting mostly Australian users, as the amount of the demanded ransom in given in Australian dollars, and users are urged to use Australian Bitcoin exchanges to get the required equivalent in Bitcoin to send to the crooks. They also believe that the ransomware spreads via spam emails.
“For the malware to begin encrypting files, it needs to have an active Internet connection,” they shared. “Initially, the malware will reach out to a domain hardcoded into the malware likely to check for connectivity. It will then send data to the IP address hosting the domain and exchange certificate information over a secure connection. If successful, the malware begins encrypting files and will prompt the user after it has finished with a ransom message.”
The message makes it seem like the files have been encrypted with CryptoLocker:
The “helpful” FAQ section claims that all the user’s important files have been encrypted with RSA-2048 bit encryption, and that breaking it “is impossible without special decryption software.”
“You can buy this decryption software on our website,” the message says, and points to a site listing instructions on how to do that. The price is vertiginous – 500 AUD – and will increase in the following days.
The crooks also offer proof that the decryption software works: users can submit one of their encrypted files to the attacker’s website, and will get it back decrypted.
Despite the obvious lies in the message, there are some that most users will not spot, such as the fact that the files are encrypted using the Rijndael algorithm, and not RSA-2048.
“The encryption method requires a password for encryption. It is unclear whether the password is stored locally or retrieved from a remote server,” the researchers explained. “It is likely that the password is generated per infection. Repeated runs of the same sample produced different encryption on the files suggesting that the password changed. The exact method of password generation has yet to be discovered.”
TorrentLocker ensures its persistence on the infected system by storing copies of itself in several folders and creating an autorun key in the registry.
“The overall feel of the malware looks like CryptoWall, but the messages displayed are suggestive of CryptoLocker. It is possible that CryptoLocker’s creators have compiled this new malware, but it is not a variant of the well-known ransomware,” they pointed out.
There is currently no evidence that TorrentLocker is being sold on underground forums, so it’s likely that its creators are also the ones behind this campaign.