Update on the Torrentlocker ransomware


This posting is an update to the Torrentlocker blog posting of October 15. For guidance on containment and recovery, see the previous blog post.

Financial aspects

Payments for the ransom have to be done in Bitcoins. We have identified 7 Bitcoin addresses that received ransom payments. The total income as of the 21th of October is 862,79539531 BTC which comes down to 257.393,45 EURO made in payments to the criminals. Based on the current BTC price for the ransom, currently 1.32 BTC about 400 EURO, we can say that at least 653 victims have paid the ransom. We have confirmed 4180 infected clients up until October 21st. If they would all pay the ransom that would amount to 1.6 million euros.

Harvesting new e-mail addresses

Torrentlocker is currently being spread via phishing emails luring victims to fake postal service websites. One of the ways the criminals are getting new emails to send the emails towards is by harvesting email addresses from infected machines. It is able to grab email addresses from:

  • Thunderbird
  • Outlook
  • Windows Live Mail

We’ve found that they were able to harvest 2.614.109 email addresses in total. In addition to email addresses to use as a recipient, Torrentlocker also looks for IMAP/POP3/SMTP credentials to send the emails from. Started from the 20th we have seen them harvest a total of 1746 SMTP account credentials.

harvested-torrentlocker-addresses

Location and number of the affected clients

This Torrentlocker campaign started on the 16th of September 2014 and has been targeting various countries. The criminals have made payment templates for the following countries:

  • Australia
  • Canada
  • Spain
  • Great Britain
  • Ireland
  • Italy
  • Namibia
  • Netherlands
  • New Zealand

They have been sending the phishing mails to recipients in the following countries:

  • Albania
  • Australia
  • Austria
  • Belgium
  • Canada
  • Chile
  • Colombia
  • Egypt
  • France
  • Germany
  • Great Britain
  • Greece
  • Hongkong
  • Hungary
  • India
  • Indonesia
  • Iran
  • Ireland
  • Isle of Man
  • Italy
  • Japan
  • Korea
  • Malta
  • Namibia
  • Netherlands
  • New Caledonia
  • New Zealand
  • Norway
  • Papue new Guinea
  • Philippines
  • Poland
  • Portugal
  • Puerto Rico
  • Qatar
  • Romania
  • Russia
  • Serbia
  • Singapore
  • South Africa
  • Spain
  • Sweden
  • Switserland
  • Turkey
  • United Arab Emirates
  • United States

In total we were able to confirm 4180 infections in 44 countries. This campaign first started on the 16th of September. They have done runs sometimes a week apart and sometimes only a day apart. The last run we saw started on the 21st of October. In every country they impersonate emails from the local postal service.

New IoCs

The following new domain names were used for hosting the fake website for the Dutch phishing campaign

  • Postnl-track.org
  • Postnl-track.net
  • Postnl-tracktrace.net

The following IP-addresses were additionally used for global C&C traffic

  • 46.161.30.16
  • 46.161.30.17
  • 46.161.30.18
  • 46.161.30.19
  • 46.161.30.20
  • 46.161.30.21

On the infected client system, the ransomware copies itself to a location based on whether it has admin privileges:

  • With admin privileges it will copy itself to C:\WINDOWS\[a-z]{8}.exe
  • Without admin privileges it will copy itself to C:\ProgramData\[a-z]{8}.exe

Additionally a startup key is added to the registry to start the ransomware upon a reboot.

23 thoughts on “Update on the Torrentlocker ransomware

  1. Pingback: Thuis in… Emmen | Kwart miljoen voor PostNL-phishers

  2. Pingback: Kwart miljoen voor PostNL-phishers - GeldKiosk

  3. Pingback: Thuis in… Meppel | Kwart miljoen buit PostNL-phishers

  4. Pingback: Thuis in… Midden Drenthe | Kwart miljoen voor PostNL-phishers

  5. Pingback: Thuis in… Midden Drenthe | Kwart miljoen buit PostNL-phishers

  6. Pingback: Thuis in… Emmen | Kwart miljoen buit PostNL-phishers

  7. Pingback: Kwart miljoen buit PostNL-phishers | Nieuws

  8. Pingback: Thuis in… Hoogeveen | Kwart miljoen voor PostNL-phishers

  9. Pingback: Thuis in… Hoogeveen | Kwart miljoen buit PostNL-phishers

  10. Pingback: Kwart miljoen voor PostNL-phishers : Gratis Offerte

  11. Pingback: Kwart miljoen buit PostNL-phishers - NewzFeedz, de nieuws-aggregator

  12. Pingback: Thuis in… Vechtdal | Kwart miljoen buit PostNL-phishers

  13. Pingback: Kwart miljoen voor PostNL-phishers - NewzFeedz, de nieuws-aggregator

  14. Pingback: Kwart miljoen buit PostNL-phishers - GeldKiosk

  15. Pingback: Thuis in… Tynaarlo | Kwart miljoen buit PostNL-phishers

  16. Pingback: Thuis in… Kanaalstreek | Kwart miljoen buit PostNL-phishers

  17. Pingback: Thuis in… Zutphen | Kwart miljoen buit PostNL-phishers

  18. Pingback: Kwart miljoen buit PostNL-phishers

  19. Pingback: Kwart miljoen buit PostNL-phishers : Gratis Offerte

  20. Pingback: Nieuws - Gemeente Den Haag getroffen door TorrentLocker-malware

  21. Pingback: Haagse gemeentecomputers besmet via valse PostNL-mails | Computer kennis en informatie

  22. Pingback: PrimalSec Weekly 10/24 ← Primal Security Podcast

  23. Pingback: Internet Crime Fighters Organization Torrentlocker Ransomware - Internet Crime Fighters Organization

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s