The ransomware known as TorrentLocker has been spotted perpetrating an attack against European nations such as Germany and Norway. While the ransomware’s behavior isn’t too different from the earlier variants, its new method of propagation makes it a dangerous threat for end users who lack awareness of the various phishing techniques used by cyber criminals.
These variants (Detected by Trend Micro as RANSOM_CRYPTLOCK.DLFLVV, RANSOM_CRYPTLOCK.DLFLVW, RANSOM_CRYPTLOCK.DLFLVS and RANSOM _CRYPTLOCK.DLFLVU), use social engineering to trick its victims—primarily company employees—into clicking a Dropbox URL embedded in a phishing email. This URL leads to a fake “invoice document" which is actually the ransomware’s file. TorrentLocker’s use of Dropbox makes for an additional detection hurdle, as the site itself is a legitimate one.
The ransomware’s distribution of targets based on Trend Micro’s Smart Protection Network (SPN) data can be seen in the chart below:
Python-based ransomware make an appearance
A couple of notable Python-based ransomware dubbed PyL33t (Detected by Trend Micro as Ransom_PYLEET.A) and Pickles (Detected by Trend Micro as Ransom_CRYPPYT.A) made the rounds during the end of February.
Internet culture bears a heavy influence on the PyL33t ransomware, as seen in its Comic Sans ransom note, its use of the 1337 port, and its use of the .d4nk extension, which it adds to files it encrypts. Once PyL33t is downloaded and executed in the victim’s computer, it will encrypt various files that use extensions such as .docx, .jpg and .xlxs.
Pickles is a harmless-sounding name for another dangerous Python-based ransomware. Once Pickles infects the victim’s computer, it encrypts files and renames them with the .EnCrYpTeD extension, changes the wallpaper to the message seen above, and drops a ransom note called READ_ME_TO_DECRYPT.TXT which contains the expensive ransom demand of 1 bitcoin, which roughly amounts to $1200. The decryptor is also dropped along with the ransomware; however, decrypting the affected files requires a password.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.