430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

TorrentLocker ransomware campaign hit Spain and Italy

Experts at S21sec firm recently detected a new ransomware campaign based on TorrentLocker that infected users prevalently in Italy and Spain. The last report published by Trend Micro revealed that ransomware represents a serious cyber threat in the EMEA region, where countries like Italy and Spain observed over 80% of the affected users. Recently S21sec detected […]

TorrentLocker ransomware campaign hit Spain and Italy

Experts at S21sec firm recently detected a new ransomware campaign based on TorrentLocker that infected users prevalently in Italy and Spain.

The last report published by Trend Micro revealed that ransomware represents a serious cyber threat in the EMEA region, where countries like Italy and Spain observed over 80% of the affected users.

Recently S21sec detected a new ransomware campaign based on TorrentLocker malware that appears very active in Italy and Spain.

TorrentLocker campaign infections

The malware is spread through spam emails containing a link to the malware.

The spam campaign was observed in the first couple days of December, it was active until December 5th when the C&C servers went dark and stop any activity.

” Is easy to spot that over 80% of the affected users are in Spain and Italy with little affectation in other countries. As a side an funny fact we found one affected computer in the Vatican State.  Additionally we have detected TorrentLocker campaigns targeting Turkey and Australia after the conclusion of the Spanish/Italian operation.” reads a blog post from S21sec.

Currently. the experts have detected two strain of TorrentLocker malware that differ for the encryption algorithm being used. As explained by experts, in order to unlock the resources, the malware authors demand a payment with a virtual currency like Bitcoin or Ukash tickets, to make difficult to trace the transactions.

TorrentLocker campaign

TorrentLocker is able to infect Microsoft Windows systems, it encrypts all files on the infected machine stored in every mapped drive unit, but it not encrypts data on network shared folders if they are not mounted as a local drive, similar behavior is for the recovery partitions.

Once infected the system, TorrentLocker tries to contact the C&C server to receive the encryption key to perform its activities.

“After a successful infection TrorrentLocker tries to establish a TLS session with its C&C server, which in opposition to CryptoLocker that employed a DGA it is hardcoded in the binary, in order to obtain encryption key. If the communication with the C&C panel can not be performed no encryption will be performed at all.” states the blog post.

The early versions of TorrentLocker was using a rudimental encryption routine that consist in applying a static XOR mask to the first 2 MB of the file, but earlier December 2014 appeared a new variant that was using the AES (Advanced Encryption Standard) to encrypt the files.

The experts explained that is still possible to retrieve files just after TorrentLocker infection in some cases.

“It is still possible to retrieve the files if just after the infection a file carving tool is used, Due to TorrentLocker does not deletes the files in a secure manner after encryption.” explains the post.

Further details on TorrentLocker are available in the interesting analysis conducted by experts at iSHIGHT Partners.

Pierluigi Paganini

(Security Affairs –  TorrentLocker , Ransomware)