Malware News TorrentLocker Ransomware Still Around, Uses Tor to Hide Backup C&C Servers

[Exterminator]

The TorrentLocker ransomware, also known as Crypt0L0cker or CryptoLocker, is still infecting users, two years after it was first spotted and analyzed by security researchers.

Taking into account that most ransomware families die out after a few weeks and very few pass over the one year mark, this is remarkable, but in a bad way, at least for us, regular users.

TorrentLocker still successful after all these years
What's even stranger is that TorrentLocker is doing all this with minimal changes to its recipe of success, if we are to believe a technical report released last week by ESET, a cyber-security vendor based in Slovakia.

The company's experts say they've identified several changes to how TorrentLocker operates, but generally, it's still the same tool that was active two years ago. So why hasn't it been stopped? Because it's a well-coded piece of ransomware, with very few flaws and that also uses very strong encryption.

All files infected with TorrentLocker are locked with an AES-256-CBC algorithm first, and then the key to unlock this encryption is locked itself by a dual-key RSA algorithm that keeps a key on the PC, and the other sends it to the crooks' C&C server.

Tor is used as a backup C&C communications channel
The way the C&C servers are managed is one of the changes detected in TorrentLocker operations, ESET researchers explain. Even if communication with these servers is encrypted, security researchers often track them down and have hosting firms or authorities take them offline.

To prevent such scenarios and allow the infected victims to be able to pay the ransom so that crooks can monetize their spam campaigns, recent versions of TorrentLocker come with a list of .onion URLs, websites accessible via the Tor network, to which the ransomware falls back when its main C&C servers go down.

This is not the only malware family that has started implementing Tor as a C&C backbone network. The Ursnif trojan has done the same.

TorrentLocker avoids infecting users in China, Russia, the US
Besides Tor as a backup C&C communications channel, TorrentLocker will also check the victim's IP address and show localized ransom note in the user's language.

The ransomware shows custom ransom notes for 22 countries, even if recent spam campaigns haven't targeted all.

According to ESET, the gang behind TorrentLocker is using email spam masquerading as an invoice for a local utility company, and has targeted users in countries such as Australia, Austria, the Czech Republic, Denmark, Germany, Italy, the Netherlands, Norway, Poland, Spain, Sweden, Switzerland, Turkey, and the UK.

ESET also says that TorrentLocker is hard-coded to avoid countries such as China, Russia, Ukraine, and strangely, the US, which almost all ransomware variants seem to love to target.