1H TorrenLocker Landscape Shows A Growing Target Base

2015 torrentlocker landscape View 1H TorrentLocker Landscape: Targeting Even More Victims in Australia

The emergence of ransomware—a type of malware that prevents or limits its victims from accessing their own files and systems—has become a growing problem for the computing public through the years. Its continuing evolution from “scareware” to a more sophisticated form of malware with encrypting capabilities has made ransomware one of the most notorious malware types to prey on unsuspecting users.

In the first quarter of 2015, we have noted how ransomware has spread to enterprises and niche users. The second quarter then showed an apparent rise in CryptoWall-related URLs. The data collected shows that almost 70% of incidents hit mostly small and medium-sized businesses, followed by enterprise and the consumer segments.

TorrentLocker is a crypto-ransomware strain that has amassed victims in North America, Europe, and Australia, using file encryption to force users to pay a ransom in exchange for regaining access to their kidnapped files. In 2014, we zoomed in on TorrentLocker attacks in Australia and detailed the malware’s usual attack scenario and infection chain.

Our continuing investigation, as seen in the paper “1H TorrentLocker Landscape: Targeting Even More Victims in Australia”, provides more details on the infections seen in the first half of 2015, including common evasion techniques, and solutions to defend against the threat.

Slipping through security cracks

The continuing surge of TorrentLocker may be attributed to the fact that it has successfully devised evasion techniques that allowed it to stealthily infect one’s system. Some of these techniques, as noted below, are known to bypass spam filters, web reputation, and malware detection.

[Watch: TorrentLocker in action]

TorrentLocker sends emails only to legitimate accounts via carefully-crafted email spam. These messages are disguised as actual parcel tracking and penalty notice emails with attached hyperlinks. Instead of using botnets, it uses legitimate web servers to circumvent IP reputation filters. Aside from this, it evades sandboxes by adding a CAPTCHA feature to the malware-carrying web page.

Aside from using standard malware techniques that reduce detection rates, TorrentLocker also inserts dead code, or a sequence of non-effective assembly instructions, that challenge pure signature-based static detections.

Good old bag of tricks

Social engineering lures remained instrumental in the rise of TorrentLocker cases in 2015. The outbreak seen from April to May showed cybercriminals leveraging the Australian Federal Police, and postal services not just in Australia (Couriers Please) but also in Spain (Correos Postal Service). Other data sets noted in the study prove that while the surge of TorrentLocker infections have become a debacle in Australia, it has already started to cross borders and spark concern among users in other countries.

Typically, spam attacks were spotted between 1AM- 9AM, which Trend Micro researchers see as a part of a trick to match email delivery time with the beginning of a work day. 

During the course of a study that spanned from April 29 to May 19, Trend Micro researchers monitored TorrentLocker-related URLs seen in different countries. It is not surprising that the results showed that Australia had the highest number of malicious URLs at 63%, reflecting the high volume of the malware in the region. Spain was a far second at 14%, while the United States was third at 6%.

The most effective campaign happened on May 14 in Australia, where data kidnappers used the AFP as a lure. Close to 60% of visits to the spoofed site came from the region, while some Spanish users were also victimized, at 33.6%.

Solutions and Insights

TorrentLocker, much like any other type of ransomware, tricks users into handing over the keys to their most valued data. With the spread of the malware to the enterprise segment, having a solid file backup strategy for home users and businesses is a must. User education and awareness on how TorrentLocker carries out its routines is a good way to keep threats as tricky as this at bay. 

There is no silver bullet that can be used to prevent TorrentLocker from causing financial damage and data loss among users and business, which is why it's important to have a holistic, reputation based solution that covers all the bases (web, email, and file). Below are strategies used to prevent TorrentLocker or any ransomware type from entering the enterprise’ system and network:

  1. Create a carefully-designed policy that limits number of people and systems that have access to shared and critical data.
  2. Implement advanced monitoring of incoming email and other traffic that employs real-time threat intelligence to identify and safeguard one’s network from malicious emails, compromised URLs and C&C hosts and infected file attachments. The Trend Micro™ Smart Protection Network™ provides real-time threat intelligence system that gathers global input from millions of collection points and uses big-data analytics to produce up-to-the-minute information about the latest threats.
  3. Perform comprehensive monitoring of network traffic via an advanced heuristic,sandbox, and emulation analysis to detect suspicious network behavior.
  4. Make use of next-generation endpoint technologies like advanced anti-malware to detect and stop ransomware infections. Application whitelisting can be used to identify applications that are allowed to run and execute on endpoints.
  5. Conduct user training and education to fully familiarize endpoint users with malicious spam and phishing attacks that could be used to infiltrate the network.

For the full details and strategies against this ransomware strain, read the paper “1H TorrentLocker Landscape: Targeting Even More Victims in Australia”.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.