New Torrentlocker Campaign Spoofs Nordic Telco Giant, Millions of Customers at Risk

telia-spoofing-ransomwareThe onslaught of ransomware attacks continues with the emergence of a new ransomware campaign reportedly making the rounds in Europe. Researchers at Heimdal Security note that the recently-discovered campaign leads to previously-uncovered  Torrentlocker ransomware family and its known spam email runs. In this case, cybercriminals  toy with the trust placed by unknowing users to Telia, the Nordic telecommunications company with a client-base reaching hundreds of millions of customers in the European and Asian regions.

The 13 year-old Stockholm-based telco giant is now being used in a targeted spam campaign, potentially putting its customers at risk. The bait comes in the form of email messages masquerading as invoice from Telia. Feigning legitimacy and pawning the trusted company’s name, a target is tricked to click on a poisoned link that will redirect him or her to a bogus webpage. In it, a Captcha code is displayed to lure the user to supply the code. Once the user fills the necessary code, Torrentlocker, will be downloaded into the system.

[Watch: See How Torrentlocker Works]

In a blog post, researcher Andra Zaharia shared, “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.” Initial analysis show that Swedish users are considered as primary targets as seen in its malware behavior. If the victim’s IP is located in Sweden, this propels the download of the ransomware. Otherwise, the potential victim will be redirected to a Google homepage. However, with the elaborate tactic in place, security experts believe swift adaptation and replication of the said model in more campaigns is to not far from happening.

With the malicious code in motion, the ransomware is seen to connect to a central C & C server to register the infected unit and data harvested from it. Interestingly, collected contact details from the compromised system will also be sent to the server, essentially to be used in future spam runs. This will then lead to Torrentlocker’s encryption of files found in the local drive and also on available connected network drives. Once the files are encrypted, the ransom will be demanded from the victim, priced at 1.15 Bitcoins or an amount reaching 441 Eur. Much like in recently seen ransomware families, a time limit for ransom payment is set. Failure of payment once the limit expires would double the ransom needed to obtain the decryption key to regain file access.

[Illustration: The What, How, and Why of Ransomware]

Spoofing identities of trusted individuals, companies, and organizations is an age-old cybercriminal trick but has proven to be effective to this day. Such strategy is not necessarily designed to tarnish a respected company’s or individual’s reputation, but is aimed at exploiting one's sense of trust to rake in profit. Security experts and authorities continue to instill the value of regular data back-ups to users to prevent potential data loss. Continued vigilance and cybersecurity education remain as the most essential building blocks that make up a user’s arsenal against ransomware and cybercrime, in general.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.