Slovakian security wizards ESET have delved deep into the guts of the TorrentLocker ransom malware and pulled out some interesting details of its destructive life story starting with the number of files it has encrypted – a misery-inducing 285 million to date.
Although TorrentLocker is nowhere near the scale of the infamous CryptoLocker, and will likely never acquire the latter’s notoriety, that sort of file scrambling still adds up to 39,670 infected PCs by ESET’s calculation.
On the basis of the spam used to distribute the malware, victims have also been surprisingly concentrated on a small group of countries: the UK, Australia, Canada, Czech Republic, Italy, Ireland, France, Germany, The Netherlands, New Zealand, Spain and Turkey. That means the US was apparently not targeted for some reason although some Americans might have encountered the malware through other channels.
Of the nearly 40,000 victims detected by analysing numbers inside its command and control, ESET found 570 that had paid the Bitcoin ransom, netting the criminals between $292,700 and $585,401 (£200,000 and up). With a conversion rate of 1.45 percent that’s actually a decent pay-off in line with other examples of ransom malware analysed in a similar way.
As a side note, earlier this year ESET estimated that the total value of Bitcoins entering a wallet suspected of receiving TorrentLocker’s scam proceeds was around $40 million although not all of this would have been from ransom malware. Exactly how much money it has made is therefore still not clear.
A couple of smaller points worth pulling out. Versions of TorrentLocker appear to have been around a bit longer that previously realised, with the earliest examples turning up in anti-virus nets in February 2014, months before security company iSight Partners first publicised it.
Like Rumpelstiltskin, TorrentLocker also has its own private name that ESET reveals to be the rather prosaic ‘Racketeer’, presumably a translation of a Russian noun.
“We believe the actors behind TorrentLocker are the same as those behind the Hesperbot family of banking Trojan malware,” said ESET’s Canadian-based researcher, Marc-Etienne M. Léveillé.
As reported elsewhere, the attackers had also fixed an AES encryption flaw that made it possible to work out the key used to scramble files, he said.
The easiest to overlook aspect of ESET’s research is that it reveals the lures used in TorrentLocker’s spam campaign. As with every other malware attack through this channel, people receive an attachment they are socially-engineered into opening. Some of the lures are quite devious and in some countries will definitely grab the attention of users – an alleged unpaid invoice, a speeding ticket, and package tracking – all localised to the country of the victim.
As for the UK, ESET’s figures show that at least 2,300 PCs were infected with TorrentLocker, with “up to” 210 people paying up (probably far fewer – this is a maximum) and just under 30 million encrypted files locked up, many probably belonging to small businesses. The average ransom demanded was the Bitcoin equivalent of between £400 and £650.