The TorrentLocker (Crypt0L0cker) appeared on the ransomware stage in August 2014 but it reached its peak in distribution in early to middle 2015. It had some major spreading campaigns mostly targeting the Netherlands, Italy and Australia. However, it didn’t take much time before other pieces of ransomware like TeslaCrypt and CryptoWall to overtop and replace it.
That’s why detecting a new TorrentLocker version now took researchers by surprise. The new TorrentLocker wave was first spotted by the Emsisoft security researcher, xXToffeeXx. The developers of this particular version of TorrentLocker chose to rely on spam emails for the distribution process. The malicious email messages are disguised as energy bills from the Italian energy company Enel. The fake emails have an attachment named ENEL_BOLLETA.zip, which contains a JavaScript file called ENEL_BOLLETA.js.
The JavaScript file, when executed, would download and save the TorrentLocker executable to the %Temp% folder and then launch it into execution. Then it will start the data encryption process appending the “.ENC” extension and the end of all encrypted files.
This TorrentLocker version displays a ransom note in Italian with detailed instructions on how the victims should complete the payment.
As it looks like, this particular sample in oriented in infecting Italian users but there is a high chance that other campaigns are targeting other countries as well.
