TorrentLocker Attacks Increase in UK, Social Engineering Ploy Used

TorrentLocker Attacks Increase in UK, Social Engineering Ploy Used

History
TorrentLocker is a ransomware infection. Its primary target used to be Australia. Late last year it was spotted in Italy. Now attacks in the UK and Turkey have spiked. It is known that TorrentLocker uses phishing emails. The emails pretend to be from some government agency or utility, and try to lure users onto malicious websites.

The Attack
If users click on the links presented in the emails, they will be redirected to fake websites of utilities or institutions. For instance, this can be British Gas for the UK or Turkcell for Turkey. Then, they will be asked to enter a captcha to view their bill, or download information for their case (if the web page mimics Home Office). If users comply, however, this will result in downloading the TorrentLocker infection on to their system.

The users will actually download zip files that contain the infection’s files. The zips can be named turkcell_fatura_192189779.zip, case_14781.zip, informacje_przesylki.zip, etc. depending on the malicious website you have been transferred to. Under no circumstances should you open or even download these files. What is more, it would be best if you identify the fake emails from the start and delete them straight away.

Much More Targets
Although it is seems that for now the infection’s main target is the UK, it doesn’t mean that it is its only one. TorrentLocker has also been sighted in Poland, Spain, Germany, and the United States along with the other aforementioned countries. For now it seems that the attacks in Australia have decrease, but they have not ceased for good. This is why users shouldn’t put their guard down.

Where Does the Threat Come From
Research of TorrentLocker shows that about 800 domains were compromised to spread the infection. Their purpose is to host the images in the emails, or to redirect users to the fake web pages. It was also discovered that the fake pages themselves are being hosted on serves located mainly in the Russian Federation Turkey, as well as some in France.

Torrent Locker uses a small range of command-and-control servers. Here’s a full list of them:

  • kergoned.net (178.32.72.224)
  • driblokan.net (87.98.164.173)
  • bareportex.org (185.42.15.152)
  • projawor.net (87.98.164.173)
  • golemerix.com (212.76.130.69)
  • klixoprend.com (185.86.76.80)
  • krusperon.net (91.226.93.33)
  • imkosan.net (185.86.76.80)
  • loawelis.org (178.32.72.224)

The server most often used is klixoprend.com. This server is also known to be used by Timba malware. This malware is able to generate random domain names for fake websites. So if the domain name looks something like hhjgrtttwiod.com, then you are definitely on a malicious web page that is pretending to be genuine.

Unfortunately, the command-and-control domains have been registered under a domain privacy services. This means that there is no way to find out who is behind this the distribution of TorrentLocker.

Precautionary Measures
It is important to identify the threat as soon as possible. If you can see that the email with the link to the malicious web pages is fake, and delete it, then great. If you do find yourself on the malicious website, however, it is still not too late. If the page only asks you for a captcha, and then offers you to download a file, decline it and leave the page. The best thing you can possibly do is have a reliable security system on your PC that will protect you from attackers even if you are not as careful as you should be. It would act as a safety net for your computer’s security.