TorrentLocker, a ransomware family member, is a type of file-encrypting ransomware that significantly infected Windows operating systems. It was first observed in February 2014 and released in late August 2014. Later, it released with five new major releases. TorrentLocker encrypts the victim's data files by using a symmetric block cipher AES and further encrypts that AES key with an asymmetric cipher RSA. In December 2014, this crypto-ransomware family spread (geographically targeted) through spam email campaigns that impersonated different companies. A few weeks later, ESET released its white paper describing the distribution scheme, network protocol, and core functionalities and matching those characteristics with the Hesperbot banking trojan. 2016 is now experiencing a surge of advanced ransomware. According to ESET's research, a number of websites are impersonating well-known companies to distribute TorrentLocker. Some impersonations that were reported from April to August 2016 include:
- AGL (Australia)
- British Gas (United Kingdom)
- Endesa (Spain)
- Vodafone Italia (Italy)
- PostNL (Netherlands)
- New Zealand Post (New Zealand)
- Australia (Post)
The distributed URL in the email campaigns is only accessible from the IP addresses of targeted country.
Ransomware Distribution
Current ransomware distribution is similar to the method used in 2014. Phishing email campaigns include a link to a spoofed site URL that hosts a downloadable file disguised as a tracking code or bill. TorrentLocker executes once that file is downloaded and opened. The moment the file opens, it starts to communicate with its command and control (C&C) server and encrypts the victim's data with AES cipher.
Change in Infection Vector
Distribution may look similar to 2014 techniques but under the hood, it has adopted several advanced changes. There is now an added step and file structure by which the spam email redirects the user to a PHP scripted host on a compromised server. It checks the location of the visitor with that of the region targeted in the campaign. If the two match, then spam redirects the user to the next step, where the malware is downloaded. If the user location is outside the targeted country, it redirects to the Google homepage. The ransomware ZIP file also now includes a JScript file, which downloads and executes the TorrentLockerRansomware. REAQTA, an expert security company, published a two-part research post describing the TorrentLocker scheme in detail. The summary of chain of events is listed as:
- Phishing email messages include a call-to-action link for response:
hxxp://domain.com/[email protected]
- User redirects to:
hxxp://azqm.postau-tracking27.org/ys9mb.php?id=dnljeGlnQGTvnWSubk7lvB==
- User downloads the file:
hxxp://azqm.postau-tracking27.org/file/PostAU-packet.zip
- The user opens the ZIP file and executes file: PostAU-packet.js
- The JScript downloads and starts the TorrentLocker executable file:
hxxp://suzoinpet.ru/admin/filename.exe
Additional Four-Digit User Pass
In ESET's 2014 TorrentLocker analysis, the C&C server generated predictable and sequential "User Codes," which made the tracking of payment and victims possible. However, TorrentLocker has now implemented a four digit “user pass” password field for payment pages.
Obfuscation Technique
In 2014, the ransomware used to inject into "explorer.exe" system process. It is not the case anymore; TorrentLocker now uses a relatively advanced obfuscation techniques. A hardcoded key encrypts the strings of TorrentLockerRansomware. It's the same for every campaign, but it is truncated and its size changes. Encrypted keys are then decrypted by the TorrentLocker operators on demand by XORing them with the used truncated key.
C&C Communication Changes
Like in 2014, TorrentLocker tries to connect to a hard coded HTTPS domain. But this time, it prepends to that random HTTPS subdomain. The subdomains have short lives and can be taken down fast. What is more interesting is that in case it fails to connect to that domain, it moves back to the Tor hidden service. That's because the binary of TorrentLocker now links to a small Tor implementation, which ensures that the ransomware doesn't rely on the external dependencies for connecting to a Tor network.
LibreSL is being used by Tor Library - Image: ESET This technique is now becoming increasingly popular in ransomware, which makes it harder for security researchers to pinpoint the C&C servers’ location physically.
Other Changes
In 2014, TorrentLocker used "LibTomCrypt" cryptographic library, but now it has moved to using "CryptoAPI." However, in both, the starting vector (IV) is always 32 null bytes. The encrypted filenames are now renamed to random strings instead of sequential numbers. Now, it encrypts the first 1 MB of the file instead of 2 MB. TorrentLocker now only encrypts popular file formats such as .xls, .docx, etc. instead of system executable files to ensure its usability.
What can you do to safeguard against ransomware?
TorrentLocker is still very much active and works below the radar to make targeted attacks. You can eliminate this nuisance if you place safeguards on your system. Here are some tips that will help you avoid ransomware attacks. 1. Make Data Backups Making regular data backup is the best way to defeat ransomware. If you have data backups or snapshots of your OS in an encrypted form, you can clean your system and restore the backup. One thing to remember is that any crypto-locker encrypts data files on drives that are mapped, including USB drives, cloud, and network files that are assigned a drive letter. 2. Show Hidden file extensions Crypto lockers usually come in the extension "PDF.EXE" by re-enabling the ability to see complete file extension name; it becomes easier to identify a suspicious file. 3. Filter EXE file extension in email If your email service gateway scanner can filter files by their extension, you can set your email gateway to deny emails received or sent with EXE extension. If you legitimately need to share EXE files, then you can create a password protected ZIP file of that EXE file. 4. Disable execution of files from "AppData" or "LocalAppData" folders You can make rules within Windows OS or Infiltration Prevention Software to prevent a particular behavior of crypto-lockers, which is to run its EXE files from "LocalAppData" or "AppData" folders. If you have some legitimate program in these folders, you can exclude it from the list. 5. Disable Remote Desktop Protocol (RDP) Remote Desktop Protocol (RDP) is a utility that allows users to access your Windows desktop remotely. Crypto-lockers often access their targeted machines using this RDP service. If you do not require RDP facility, you can disable this feature to prevent ransomware attacks. 6. Update your software regularly Malware/Crypto-lockers exploits the vulnerabilities of outdated software and access your system silently. It can substantially decrease the chance of experiencing a ransomware attack if you make a habit of always updating your software. Updated software patches old vulnerabilities and potential exploits, thereby offering users a more secure computing experience. 7. Use a Security Suite Program and a VPN A program that provides both anti-malware and firewall software will give your system strong security. Malware/Crypto-lockers frequently releases new variants, but if they avoid detection from one program, they will get blocked from the other when the malware tries to connect to its C&C server. VPN software masks your IP address and re-routes your data from other servers. It hides your location to that other, which gives you an added advantage of hiding your current location from ransomware redirection. But be specific, as some VPN software logs your data and activities. Make sure to choose a reputable VPN that allows logless connection.
What can you do if you're infected by ransomware?
If you are in a situation where you have already executed a ransomware file without any precautionary measures, your chances are limited but not all lost. There are still a few things you can do that "might" reduce the damage of ransomware. 1. Disconnect your Wi-Fi or unplug network immediately If you "act very quickly" before the ransomware displays its ransom message, you might be able to pull out from the attack before it connects to its C&C. If you disconnect the network immediately, you might be able to stop the process in the middle as it takes some time to encrypt files. 2. Use a System Restore or Restore Windows SnapShot If you make the system restore backup frequently, you might restore your system to a previous state. But you have to be quick in that as well, because some newer versions of crypto-lockers have the ability to delete system restore backups. It's therefore recommended that you make your Windows snapshot in an external drive (before the attack) or any writable DVD. 3. Change the Bios Clock Ransomware has a timer for payment that is oftentimes set to 72 hours. After time runs out, the price of decryption increases. However, you can set your clock from Bios to "beat the clock." It might not save you from the ransomware, but it will save you from paying more. Even so, know that there are cases where people paid the ransom and never received the decryption key.
Final Thoughts
Recent ransomware attacks have generated a lot of hype and gained news coverage. They are frightening, but there are things you can do to defend against an infection. Indeed, the best way to protect against ransomware is to protect your PC against data loss.
About the Author: Peter Buttler is a professional security expert and lecturer. He serves as a digital content editor for different security organizations. While writing he likes to emphasis on recent security trends and some other technology stuff. You can follow him on Twitter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
