TorrentLocker outbreaks have plagued users across several regions for years. A strain of ransomware that uses file encryption to extort money from its victims, TorrentLocker has long been observed in North America, Europe, and Australia. In 2014 we reported our insights on TorrentLocker attacks in Australia for that year, which detailed the malware’s usual attack scenario, its use of email spam, and its infection chain. This paper aims to provide more detail on TorrentLockerinfections seen in the first half of 2015, more specifically, details on common evasion techniques and solutions to battle this ongoing threat.
A quick Background on Ramsomwere
Ransomware is a type of malware that prevents or limits users from accessing their system. To make the infected system usable again, the victim is forced to pay (a ransom) to a remote threat actor thru certain online payment methods.
In the first quarter we reported about how ransomware expanded their target base to include enterprises and niche user types. This was evident in our 1Q security report which shows the growing number of ransomware detections for the enterprise segment.
n our 2Q security report , however, we reported our findings on CryptoWall-related URLs in June. Small and medium-sized businesses comprised 66% of CryptoWall-related URLs for that month, followed by the enterprise and consumer segment.
TorrentLocker : A Regional Threat
Apart from expanding its target base to include the enterprises , we observed a continuous growth in TorrentLocker outbreaks aimed at Australian individuals and
businesses. In the past we have reported that the cause of the outbreaks were spammed me ssages primarily sent to Australian email addresses and used specially
crafted social engineering emails. Below is an infection chain of how a typical spam outbreak carries out TorrentLocker attacks.
Exasion Techniques used by TorrentLocker
TorrentLocker uses several evasion techniques that are known to bypass spam filters, web reputation, and malware detection. Its ability to utilize these evasion techniques allow ways for the threat to slip through the cracks even if all of your defenses are seemingly in place.
Antispam evasion
TorrentLocker is able to bypass anti-spam filters by sending email to legitimate accounts only. The
spammed message are, carefully crafted by mimicking actual parcel tracking and penalty notice emails with accompanying hyperlinks attached.
Moreover, TorrentLocker bypasses IP reputation by making use of legitimate web servers instead of botnets, and uses these compromised web servers to redirect infected systems to malicious websites.
Moreover, TorrentLocker bypasses IP reputation by making use of legitimate web servers instead of botnets, and uses these compromised web servers to redirect infected systems to malicious websites.
Sndboxes and web reputation evasion
TorrentLocker bypasses sandboxes by adding a CAPTCHA feature to the malicious web page that carries the malware (example pictured below):
The CAPTCHA field requires users to input letters or numbers, giving cybercriminals a chance to verify that there is an actual person using the infected systems. In addition, the sandbox and web reputation evasion technique allows TorrentLocker to detect antivirus mechanisms that detect drive-by-downloads. TorrentLocker also randomizes the names of the scripts used on the compromised servers.
An example of how TorrentLocker evades web reputation is its ability to keep the time to live (TTL) records very short. The web service runs on the same server as the DNS service. Hence, once the server is shut down, both services are turned off.
Click below to read more.
