Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support)
Published on January 21, 2016 13:00 UTC by GovCERT.ch (permalink)
Last updated on January 22, 2016 09:41 UTC
On Wednesday, Jan 20 2016, we have noticed a major spam campaign hitting the Swiss cyberspace, distributing a ransomware called TorrentLocker. We have already warned about similar TorrentLocker attacks against Swiss internet users last year via Twitter.
TorrentLocker is one of many ransomware families that encrypts any local file on a victim’s computer and demands that the victim pays a ransom to have his files decrypted again. Since some ransomware families do not only encrypt files stored locally on the infected machine but also on any mapped network share, ransomware also represent a serious threat to corporate networks. To make sure that the malicious email goes through spam filters and gets opened by the recipient swiftly, the TorrentLocker gang is using a handful of tricks.
While still most of the daily spam that arrives in the inbox of internet users every day is being emitted by infected computers in the internet (so called botnets), the TorrentLocker gang is using the snowshoe spam tactic to send out their spam mails. This means that they rent smaller networks from hosting providers which will then be used to send out the spam email. Since snowshoe spam is usually being sent from hosting provider IP space (unlike botnet spam, which comes from end-user IP space such as DSL, cable or fiber lines) with a valid (matching) rDNS / EHLO and sometimes even a proper SPF and DKIM record, they easily bypass many spam filters. Another characteristic of a typical TorrentLocker spam email is that they commonly don't contain any attachments (such as the usual executable in a .zip archive) but a link to a compromised website that is hosting the infection binary. By doing so, the spam emails bypass Antivirus filters (since there is simply no attachment in the email that an AV could detect and analyze). Once the recipient of the TorrentLocker spam email clicks on the link in the spam email, it will lead the victim to a compromised website that serves a captcha. Unlike real captchas, the captcha on the TorrentLocker site is hardcoded in the PHP script and is always the same. The reason why the TorrentLocker gang uses such a captcha is unknown, but we assume that they take advantage of such a (rather simple) captcha to avoid that spam filters and similar security devices can pull the malware down and analyze it in an automated way.
To make sure that the victim opens the email and clicks on the link presented in the spam email, the TorrentLocker gang uses some localized themes of the targeted country. In the recent TorrentLocker spam campaigns we have seen against Swiss internet users, the spam emails are written in German and pretend to come from the Swiss Federal Police (Bundesamt für Polizei), telling that there is a court case being opened against the recipient and offering a download-link to see the documentation. Furthermore, the recipient is asked to provide documents to the court.
So we have some sort of a perfect spam email here: Sent from snowshoe IP space with a link to a legit (but compromised) website and themed for the country of the recipient.
To distribute TorrentLocker, the miscreants are using a set of compromised websites which are being advertised through the spam emails. So far, we have seen the following websites being abused for this purpose:
These websites look like this:
In fact it is pretty easy to recognize that these websites are malicious: They try to convince the visitor that he is visiting the website of the Swiss Federal Police, but are all hosted in the country Top Level Domain (ccTLD) .ru. Considering that web sites of the Swiss Federal Administration usually end with admin.ch (like www.fedpol.admin.ch in this case, which is the real website of the Swiss Federal Police), seeing the logo of the Swiss Federal Administration on a website that is not ending with admin.ch (or is even hosted in a foreign ccTLD) should raise suspicion.
To bypass Antivirus on the victims computer (or on the web proxy in a corporate environment), the criminals are pushing a new infection binary to the distribution sites frequently. By this they make sure that the current infection binary has a low AV coverage and is able to pass Antivirus software. Below are two samples we managed to pull down from the infection sites.
bundespolizei_info_62788.zip (MD5 0718c8f2108de4147b527f52a4099127)
bundespolizei_info_62788.exe (MD5 0af13f1ba5afc61d69c8c980dfc4f371)
bundespolizei_info_62788.zip (MD5 d10706a37257d8c6b031912be96a53e7)
bundespolizei_info_62788.exe (MD5 5c4fa424f4796bde3209794f9ea01801)
bundespolizei_info_62788.zip (MD 2455911fc67fd1207cda4bb0c54cf8af)
bundespolizei_info_62788.exe (MD5 140a16ec36954eaaf298f3a91cac6054)
Once executed on the victim's machine, TorrentLocker will first try to contact a botnet command & control server (C&C) before the malware will start to encrypt files on the local computer. This means that if you block access to the TorrentLocker botnet controller, the ransomware will not encrypt any files.
Below is a list of know TorrentLocker C&Cs (hosted in Russia):
As soon as TorrentLocker started to encrypt files on the victims machine, the malware opens a local web page in the internet explorer, telling the victim that his local files have just been encrypted by "Cryp0tL0cker" and that he has to pay a ransom to get the files decrypted again. Below is a screenshot of this “lockscreen”:
The price for such a "decryption key" varies. For Swiss citizens, the price is about CHF 499. The victim will have 5 days time to buy a decryption key until the miscreant will raise the price of such one from CHF 499 to CHF 998. MELANI / GovCERT.ch recommends not to pay.
So far, we have seen the following TorrentLocker payment sites:
Should all payment sites be unavailable, the miscreants also offer an email address through which the victim can contact them:
TorrentLocker is known for targeting various other countries. Just like the spam campaign that hit Swiss internet users this week, there have been other well themed spam campaigns hitting other countries. Taking a look at passive DNS data reveals that the following countries have recently been targeted by TorrentLocker as well:
To avoid becoming a victim of TorrentLocker, we provide the following recommendations :
For private persons:
In general, MELANI / GovCERT.ch recommends not to pay any ransoms. Paying a ransom will finance the operations of cybercriminals. In addition, you do not have any guarantee that you will receive a decryption key to decrypt your files.
A full set of recommendations for corporate networks can be found on the MELANI website.
Merkblatt IT-Sicherheit für KMUs (German):
Sécurité informatique: aide-mémoire pour les PME (French):
Promemoria sulla sicurezza informatica per le PMI (Italian):
The Cybercrime Coordination Unit Switzerland (CYCO) has also published a warning regarding TorrentLocker on their website:
Warnung: betrügerische Mails mit Verlinkung auf eine gefälschte Webseite von fedpol (German):
Back to top