Hackers mounted a brand new ransomware campaign which impersonates the Nordic telecom giant Telia. The telecom giant operates in Europe and Asia and has millions of customers who could all become targets for the malware attack. According to Heimdal Security, this is a highly targeted campaign that uses various attack vectors.
First, the victims of the campaign are baited with a link to an invoice which appears to come from the trusted telecom company Telia. The main target for the attack is Sweden, though some additional campaigns may follow, replicating the same model.
As soon as the victim triggers the infection, the attack spreads out. After the victim clicks the link, he/she gets transferred to the webpage where a Captcha code is displayed. Once the victim fills out the code, the TorrentLocker payload gets downloaded.
“The Torrentlocker family is well known for its highly targeted spam email campaigns,” the Heimdal Security researcher Andra Zaharia, stated. “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.”
What is intriguing here appears to be the fact that the payload is only downloaded if the victim’s IP is from Sweden. In case an IP from another country is used, the victim gets redirected to Google.
When the malicious code is run, it connects to a central C & C server and registers the infected computer and the data harvested from it, including the certificates from the infected device.
In addition, the available contact details on the device get collected too, and sent to the aforementioned C&C server, to be used in future spam campaigns.
After that TorrentLocker encrypts all the data files available on the local drive and on the connected network drives, if there are any. To release their files, the victims should pay approximately 1.15 Bitcoins, which is worth approximately 441 EUR. In case the victims fail to send the payment by the time limit, the ransom value gets double.
“We can’t emphasize this enough: a backup is the best protection for your data in case of a ransomware attack,” Zaharia said. “Actually, you should have multiple backups. We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cybersecurity education and proactive protection.”
In addition, Zaharia stated, “Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and Portnord. And we’ve seen not once, not twice, but tens of times in the past year alone.”