Full Report
Security experts at ESET have released their latest research into the notorious TorrentLocker malware, which has infected thousands of computer systems around the world, taking data hostage and demanding a ransom be paid to ensure its safe return.
Analysis Summary
# Tool/Technique: TorrentLocker Ransomware
## Overview
TorrentLocker is a notorious ransomware family that encrypts victims' data and demands a ransom payment, typically in Bitcoins, for the decryption key. It has evolved since its first appearance in February 2014, becoming more automated and sophisticated over time. ESET tracks this malware as Win32/Filecoder.DI, though the authors reportedly prefer the name "Racketeer." Early versions referenced the BitTorrent application in registry entries, leading to its name.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Implied, as it is described as Win32/Filecoder.DI)
- Capabilities: Data encryption, automated ransom payment processing via web pages, targeted country infections.
- First Seen: February 2014
## MITRE ATT&CK Mapping
(Note: Specific TTPs are inferred based on ransomware behavior described in the text, as the text only describes capabilities, not a full attack lifecycle mapping.)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Likely used for C2 communication and ransom payment coordination)
- TA0001 - Initial Access
- T1566 - Phishing (Distribution via malicious emails)
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Data Encryption:** Encrypts specified files on infected systems.
- **Ransom Demand:** Demands payment in cryptocurrencies (Bitcoins) for a decryption key.
- **Targeted Distribution:** Spam campaigns focus on specific countries (Australia, Austria, Canada, Czech Republic, Italy, Ireland, France, Germany, Netherlands, New Zealand, Spain, Turkey, UK), avoiding countries like the US.
- **Payment Automation:** Transitioned from requiring victims to email for payment instructions to an automated, user-friendly payment page explaining how to use Bitcoins.
### Advanced Features
- **Encryption Methodology Evasion:** Updated encryption routines immediately following the discovery of a method allowing victims to recover data without payment (indicating adaptation against known exploits, such as recovering the keystream).
- **Spoofing/Confusion:** Some internal screens mistakenly refer to "CryptoLocker," possibly due to creator laziness or an attempt to confuse victims.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: Early versions referenced the Bit Torrent application.
- Network Indicators: Communication with C&C servers for tracking infections and managing ransom logistics (C&C information is implied but specific indicators are not provided).
- Behavioral Indicators: Mass file encryption; behavior associated with paying a ransom via a custom web page using Bitcoin.
## Associated Threat Actors
- The unnamed "criminals" or "gang" behind TorrentLocker/Racketeer.
## Detection Methods
- Signature-based detection (Known by ESET as Win32/Filecoder.DI).
- Behavioral detection monitoring for mass file encryption activities.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **Backup and Recovery:** Maintaining recent, clean backups is crucial for restoring data without paying the ransom.
- **Email Security:** Implementing strong spam filtering and user awareness training regarding malicious attachments or links in emails related to invoices, packages, or traffic fines.
- **Patching:** Promptly applying security updates, especially related to encryption methodologies if exploit details become public.
## Related Tools/Techniques
- CryptoLocker (Mentioned as a point of confusion/potential impersonation).