TorrentLocker Surges in the UK, More Social Engineering Lures Seen
Analysis and data by Paul Pajares (Fraud Analyst) and Jon Oliver (Senior Architect)
We’ve noticed a recent increase in TorrentLocker-related emails being sent to users in several countries, particularly the United Kingdom and Turkey. From the latter half of May until June 10, there was a relative lull in TorrentLocker-related emails. However, over a period of just over two weeks (June 10 to June 28), we saw a recurrence of this threat.
TorrentLocker is a family of cryptoransomware which was first spotted in Italy in late 2014. Australia used to be the major target of these attacks (although other countries were affected as well), but recently the United Kingdom has been the favored target. TorrentLocker-related emails pretend to be from utilities like British Gas or government bodies like the Home Office or the Ministry of Justice.
These lead to fake sites of the same institutions that claim the user has to enter a captcha for some purpose. Entering this captcha downloads TorrentLocker onto the affected system; this represents an attempt to evade automated sandboxing tests. Screenshots of these sites are seen below:
Figure 1. Fake British Gas site
Figure 2. Fake Home Office site
Other countries like Italy, Poland, Spain and Turkey were also targeted in this wave of crypto-ransomware. The emails used in these countries used the names of postal/courier services as well as telecom firms (examples found include SDA Express, Pozcta, Correo and Turkcell). Attacks against Australian users are down, with emails using the name of the Australian Federal Office down significantly. However, the names of other postal/courier services like Couriers Please and Pack & Send of Australia were abused.
The hosting of these files has also changed: before they were hosted at file storage sites like Sendspace, Mediafire, and Copy.com. However, attackers have shifted to using Yandex Disk. Cryptowall (another cryptoransomware family) is now primarily downloaded via Google Drive.
The downloaded filenames we saw in June (and the social engineering lure used) are in the table below.
|British Gas, Home Office UK, Ministry of Justice||case_14781.zip, info_5623.zip, notice.zip, info_61196.zip|
|Correo||carta_certificada_140712.zip, carta_certificada_127845.zip, carta_certificada_748215.zip|
|SDA Express||Pacchetto_741596.zip, Pacchetto_241879.zip, Pacchetto_857560.zip, Pacchetto_278560.zip|
As we mentioned earlier, users from United Kingdom were the most targeted by TorrentLocker. This was based on the number of recipients of TorrentLocker emails we identified. Other countries affected include Australia, Germany, Italy, Spain, Turkey, and the United States. Many of the companies targeted are part of the health care sector.
Figure 3. Distribution of TorrentLocker-targeted users
A wide variety of sites are used in these attacks. About 800 compromised domains were used to host the images in the emails, or to serve as redirector sites for links within the emails. Meanwhile, the fake sites themselves are hosted on Russian and Turkish servers.
These attacks use a relatively small number of command-and-contr0l (C&C) servers, which include:
- bareportex.org (184.108.40.206)
- driblokan.net (220.127.116.11)
- golemerix.com (18.104.22.168)
- imkosan.net (22.214.171.124)
- kergoned.net (126.96.36.199)
- klixoprend.com (188.8.131.52)
- krusperon.net (184.108.40.206)
- loawelis.org (220.127.116.11)
- projawor.net (18.104.22.168)
The most used server is klixoprend.com, which is hosted at 22.214.171.124. This address has also been used by Tinba malware that generates domain generation algorithms (DGA), which creates domain names like rrbrhyuyeyqp.com. Some of these servers are hosted in Russia and France; the C&C domains were registered using a domain privacy service, so we were unable to acquire further details about their registrants.
Trend Micro solutions are continuously updated to detect various aspects of this threat. Custom Defense™ solutions can effectively block these types of attacks by identifying suspicious behavior. We already detect emails with content similar to those used in these attacks, and block messages sent from IP addresses tied to these campaigns. URLs from spam messages and typo-squatting domains similar to those used have also been blocked, to prevent the download of TorrentLocker. For the same reason, URLs on file hosting sites that contain these files have been blocked.
Files related to this threat are detected as TROJ_CRYPLOCK.XXSM. C&C servers are also blocked to prevent user files from being successfully encrypted.
In addition, we recommend that organizations adopt the following best practices to help mitigate any potential damage caused by TorrentLocker:
- Have a backup strategy
- Advise users to be careful about websites asking for Captcha codes – especially if they just following a link in an email
- When confronted with a Captcha code – if in doubt – use the phone to contact the organization
- Inform users about the social engineering tricks being employed in your region. Examples of the social engineering tricks include:
- Speeding fines in Australia
- Gas/electricity bills and parcel delivery in the UK
- Couriers and shipping delivery notices in continental Europe
- Again, if in doubt about an email – use the phone to double check
Trend Micro has also worked with RESEARCH PARTNER to produce a YouTube video of a TorrentLocker infection, which can be seen below. This can be useful in understanding how the infection process works.
With additional inputs from Christopher Talampas and Adremel Redondo