This posting is an update to the Torrentlocker blog posting of October 15. For guidance on containment and recovery, see the previous blog post.
Financial aspects
Payments for the ransom have to be done in Bitcoins. We have identified 7 Bitcoin addresses that received ransom payments. The total income as of the 21th of October is 862,79539531 BTC which comes down to 257.393,45 EURO made in payments to the criminals. Based on the current BTC price for the ransom, currently 1.32 BTC about 400 EURO, we can say that at least 653 victims have paid the ransom. We have confirmed 4180 infected clients up until October 21st. If they would all pay the ransom that would amount to 1.6 million euros.
Harvesting new e-mail addresses
Torrentlocker is currently being spread via phishing emails luring victims to fake postal service websites. One of the ways the criminals are getting new emails to send the emails towards is by harvesting email addresses from infected machines. It is able to grab email addresses from:
- Thunderbird
- Outlook
- Windows Live Mail
We’ve found that they were able to harvest 2.614.109 email addresses in total. In addition to email addresses to use as a recipient, Torrentlocker also looks for IMAP/POP3/SMTP credentials to send the emails from. Started from the 20th we have seen them harvest a total of 1746 SMTP account credentials.
Location and number of the affected clients
This Torrentlocker campaign started on the 16th of September 2014 and has been targeting various countries. The criminals have made payment templates for the following countries:
- Australia
- Canada
- Spain
- Great Britain
- Ireland
- Italy
- Namibia
- Netherlands
- New Zealand
They have been sending the phishing mails to recipients in the following countries:
- Albania
- Australia
- Austria
- Belgium
- Canada
- Chile
- Colombia
- Egypt
- France
- Germany
- Great Britain
- Greece
- Hongkong
- Hungary
- India
- Indonesia
- Iran
- Ireland
- Isle of Man
- Italy
- Japan
- Korea
- Malta
- Namibia
- Netherlands
- New Caledonia
- New Zealand
- Norway
- Papue new Guinea
- Philippines
- Poland
- Portugal
- Puerto Rico
- Qatar
- Romania
- Russia
- Serbia
- Singapore
- South Africa
- Spain
- Sweden
- Switserland
- Turkey
- United Arab Emirates
- United States
In total we were able to confirm 4180 infections in 44 countries. This campaign first started on the 16th of September. They have done runs sometimes a week apart and sometimes only a day apart. The last run we saw started on the 21st of October. In every country they impersonate emails from the local postal service.
New IoCs
The following new domain names were used for hosting the fake website for the Dutch phishing campaign
- Postnl-track.org
- Postnl-track.net
- Postnl-tracktrace.net
The following IP-addresses were additionally used for global C&C traffic
- 46.161.30.16
- 46.161.30.17
- 46.161.30.18
- 46.161.30.19
- 46.161.30.20
- 46.161.30.21
On the infected client system, the ransomware copies itself to a location based on whether it has admin privileges:
- With admin privileges it will copy itself to C:\WINDOWS\[a-z]{8}.exe
- Without admin privileges it will copy itself to C:\ProgramData\[a-z]{8}.exe
Additionally a startup key is added to the registry to start the ransomware upon a reboot.
23 thoughts on “Update on the Torrentlocker ransomware”