US cyber threat intelligence firm iSIGHT Partners found the malware it dubbed TorrentLocker being distributed in a recent active phishing campaign.
“It is a new strain of ransomware that uses components of CryptoLocker and CryptoWall but with completely different code from these other two ransomware families,” reported iSIGHT senior technical intelligence analyst Richard Hummel in a 15 August blog post.
TorrentLocker infects victims via spam and uses the Rijndael encryption algorithm to lock up systems, then demands bitcoin payments to free files in a classic ransomware approach.
It also blatantly pretends to be CryptoLocker with a ransom message that reads “Your files including those on the network disk(s) are now encrypted with CryptoLocker virus”. But the design of its ransom page and others are closer to CryptoWall.
Hummel believes TorrentLocker may simply be plugging into the fear generated in people by the name ‘CryptoLocker'.
He said: “The malware introduces the interesting approach of spoofing components of other ransomware samples. This technique, whether intentional or not, may allow TorrentLocker to adopt the notoriety of CryptoLocker. It may also cause victims to assume that their files are encoded in RSA-2048, a possibly more secure encryption method than the Rijndael algorithm.”
iSIGHT believes TorrentLocker is currently attacking Australian targets, as its payment demands are listed in Australian dollars and many of the links it provides for purchasing bitcoins are .au websites.
To draw ransom victims in and as a sign of ‘good faith', the malware even offers to decrypt one file free of charge.
But iSIGHT is sceptical about TorrentLocker's strengths because it “introduces no new capabilities to those already observed in existing ransomware” and is not yet being sold on underground forums, where more sophisticated malware types are already available.
However, other industry experts think TorrentLocker has no need to innovate when current ransomware approaches still work.
TK Keanini, CTO at Lancope, told SCMagazineUK.com via email: “The mimicry of the CryptoLocker user interface suggests the attackers feel that it is effective enough and that the UI is not the priority to the invention. Frankly, it does the job well and so why not just copy the format that was successful prior?”
Richard Cassidy, senior solutions architect at Alert Logic, told us by email: “It looks to be designed to do the job quickly, with a similar user interface to previous ransomware programs, more than likely adhering to the ‘if it ain't broke, don't fix it' model of product design!”
Cassidy even feels the malware's design might be mocking recent global efforts to shut down the command and control network for both CryptoLocker and the Gameover Zeus Trojan through ‘Operation Tovar', an operation led by the European Cybercrime Centre.
He said: “The fact that TorrentLocker has similarities in look and code to previous ransomware variants might well show that this group is making a political statement against the previous law enforcement much-publicised ‘game-over' statement to the well-known Zeus and CryptoLocker variants.
“In my opinion, it's more down to the fact that these programs worked; and if you want maximum returns on your investment, build something that is familiar and will reap faster rewards.”
Keanini agreed, calling TorrentLocker's authors “slightly evolutionary” but adding: “My point is that they don't have to be revolutionary as the prior methods of previous ransomware are highly effective and for the most part unchallenged. Until these fundamental methods are ineffective, no revolutionary change will take place.”
Analysing TorrentLocker's attack method, Cassidy said: “I find it interesting that this program decided to lead with less advanced cryptography methods, and that it can't perform encryption of the target machine's files without an active internet connection – perhaps a blessing in disguise to some who might have been infected - unlike its predecessors.
“Furthermore there is no apparent use of anonymity networks, with hard-coded IPs for command and control servers. This is another interesting move and perhaps shows that the group who've written this understand the limited shelf-life before law enforcement come knocking to shut it down.”
Keanini added: “These folks, if they are smart, don't want to grow too fast because they become too noticeable and more resources are assigned to go after them. If they just skim a little but from millions of machines, they have an incredibly profitable business model that scales to the internet.”