The Danes are no stranger to attack campaigns where ransomware employs a trusted brand as a lure. In September 2015, attackers used a post office scam to deliver Cryptolocker2 to unsuspecting Danish users. Several months later, another threat known as TorrentLocker began infecting recipients of a fake invoice from Telia, a telcom giant which serves Europe and Asia.
It would now appear TorrentLocker’s handlers are once again targeting Denmark. This time, the ransomware family is abusing widespread recognition of Norton AntiVirus software to establish a foothold on Danish users’ machines.
TorrentLocker’s Latest Malspam Campaign
An attack begins when a user receives a spam email. Bearing the subject line “Payment information,” the email urges them to pay an attached invoice hosted at the following sanitized Dropbox location: https://dl.dropboxusercontent/ [.] com / s / cwoged2mtm3o3hy / 505741.zip? dl = 0. As of this writing, that link bears a 1/64 detection rating on VirusTotal.
If the recipient clicks on the link, a .zip archive downloads onto their computer containing three items. One of those is an image file named “nortonsecure.png.”
Andra Zaharia, a security evangelist at Danish security firm Heimdal Security, has something to say about this image:
“The ‘nortonsecured.png’ file is yet another attempt at psychological manipulation that aims to confuse the user and reassure the potential victim that the files have been scanned with Norton antivirus and, as a consequence, are safe to open.”
The .zip archive also contains 505741.js, a downloader with a 14/56 detection rating on VirusTotal which if clicked loads up TorrentLocker from one of the following sanitized locations: http://kolives [.] pl / file / ret.fgh (VirusTotal detection rate: 2/64) or http://pinusels/ [.] pl / file / ret.fgh (VirusTotal detection rate: 5/64). At that point, the ransomware not only encrypts the user’s files. It also goes after any connected network drives and harvests the victim’s data before sending it off to its command and control server.
Prevention and Response
There is a decrypter available for TorrentLocker that allows victims to regain access to their files for free. But according to Bleeping Computer, the ransomware’s authors plugged that decryption method. Victims can still try to use the decrypter by downloading the utility here.
Given the dynamism of TorrentLocker and other crypto-malware families, users and small businesses alike should focus on preventing a ransomware infection in the first place. Towards that end, this resource contains 22 useful ransomware prevention strategies. Those tips include disabling macros in Microsoft Office and conducting regular data backups just to be safe.