A ransomware variant which has been relatively inactive for almost two years is back, and this time it’s stealing user credentials from victims in addition to demanding a ransom to unencrypt locked files. TorrentLocker — or commonly referred to as, Cryptolocker— began targeting Windows users back in 2014, before disappearing by Summer of 2015. Similar to the majority of ransomware schemes, TorrentLocker spreads via spam email messages containing malicious attachments.
ZDNet reports, “This revived TorrentLocker campaign sees targets sent an email labelled as ‘high importance’, within which is the malicious attachment in the form of a Word document with embedded macros.
If the victim enables the macros by choosing to ‘Enable Editing’, a PowerShell code is executed and the ransomware is downloaded, encrypting the victims’ files until they pay a ransom.
But that isn’t where the malicious activity ends, because as noted by cybersecurity researchers at Heimdal Security, this incarnation of TorrentLocker has new features, including the ability to spread itself to other computers via shared files; something which could see the ransomware taking over a whole network in a very short space of time.
In addition to holding networks to ransom, the new version of TorrentLocker also harvests usernames and passwords from infected computers, putting businesses at risk of cyberespionage and data breaches, while users could see their personal or financial information leaked and sold to cybercriminals on the dark web.
The researchers warn that the revived TorrentLocker campaign is “very aggressive” and that many well known antivirus software products haven’t been updated to protect against it, even days after the campaign began.
Heimdal Security warns users in its native Denmark that they’re being highly targeted by TorrentLocker. Indeed, it appears that European internet users are the main target for those behind the campaign, as Microsoft told BleepingComputer that Italy is by far the most targeted by the perpetrators.
TorrentLocker attacks have been detected all across Europe, in locations ranging from the UK to Sweden and Turkey. Security researchers at Heimdal note that tools to decrypt TorrentLocker are available online, but they’re yet to be officially tested with the new variant.”