Full Report
Today, we are publishing research on ransomware that emerged in 2014. We have posted blog articles about this threat before, to raise awareness when we realized the criminals were targeting the United Kingdom and Spain.
Analysis Summary
# Tool/Technique: TorrentLocker (Win32/Filecoder.DI)
## Overview
TorrentLocker, also known as Win32/Filecoder.DI, is a ransomware variant that emerged in 2014. Its primary function is to encrypt victims' valuable documents and demand a ransom payment (payable only in Bitcoin) in exchange for decryption software. It specifically targeted users in the United Kingdom and Spain.
## Technical Details
- Type: Malware family (Ransomware/Crypto-Ransomware)
- Platform: Windows (Inferred from Win32 designation)
- Capabilities: File encryption, personalized ransom/payment pages based on victim location, use of unique Bitcoin wallets per infection, propagation via spam email.
- First Seen: 2014
## MITRE ATT&CK Mapping
The provided text focuses on the execution and impact phases of ransomware.
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Used for C2 communication to generate payment URLs)
- **TA0012 - Impact**
- T1486 - Data Encrypted for Impact
- (Implied: Ransomware execution leading to data unavailability)
## Functionality
### Core Capabilities
- **Encryption:** Encrypts files on the infected system, attached storage (like USB drives), and enumerated network drives.
- **Propagation:** Spreads via spam email messages using social engineering tricks to encourage execution of the malicious code.
- **Localization:** Uses country-specific personalized email messages, ransom pages, and payment instructions.
### Advanced Features
- **Cryptography:** Uses **AES-256 in CBC mode** for file encryption. The generated AES key is then encrypted using a **2048-bit RSA public key** hardcoded within the malware before being sent to the C&C server and appended to the encrypted file.
- **Payment Mechanism:** Requires ransom payment exclusively in **Bitcoins**.
- **C2 Tracking:** Unique Bitcoin wallets were generated for each infection, although earlier variants used common wallets. Researchers were able to reverse-engineer the C&C server logic to ascertain targeted countries and ransom demands.
- **Association:** Clues suggest a linkage with the Hesperbot banking trojan, implying the same authors/operators may run both.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators:
- Common Bitcoin Wallets (Historical):
- `1K3Z8tEDyo5FHtsGmxTZ4tbeuJdMMjEE72` (defanged)
- `199EgrnuLeGKXSbimYgbu2MubF2aCYxwNk` (defanged)
- C2 Servers: (Inferable from reverse-engineered payment URL generation, specific URLs not detailed)
- Behavioral Indicators: Attempts to encrypt files across local, attached, and network drives; displaying a ransom page customized for the victim's region.
## Associated Threat Actors
- Unnamed group operating both **TorrentLocker** and **Hesperbot**.
## Detection Methods
- Signature-based detection: Recognized family name Win32/Filecoder.DI.
- Behavioral detection: Monitoring for mass file encryption operations using AES/RSA scheme and attempts to reach C2 servers disguised as payment portals.
- YARA rules: [Not explicitly provided in the text]
## Mitigation Strategies
- **User Education:** Training users to identify and ignore malicious spam emails used for initial infection.
- **Data Backup:** Regular, offline backups are crucial, as the malware encrypts attached and network storage.
- **Access Control:** Restricting write access permissions on network shares to limit lateral spread of encryption.
- **Patching/Security:** Maintaining updated security software capable of identifying known ransomware variants.
## Related Tools/Techniques
- CryptoLocker (Similar crypto-ransomware gaining media attention concurrently)
- AIDS trojan (Historical ransomware reference from 1989)
- Hesperbot (Associated banking trojan believed to be operated by the same actors)