I first wrote about this bit of nastiness here: http://drjbhl.joeuser.com/article/457404/CryptoWall_Ramsomware_has_hit_600K_computers_and_a_new_gem_TorrentLocker

It was so named because its configuration resides in the Windows Registry in HKCU\Software\Bit Torrent Application\Configuration. It’s real name is Win32/Filecoder.DI

Everyone thought, “Whew! Dodged that one: I don’t use Torrents!”. Think again.

“A TorrentLocker infection, like other ransomware schemes (such as CryptoWall or CryptoLocker), usually takes place when a victim downloads a malicious file. Although the name TorrentLocker might suggest infections come through the way of torrents (a file typically used for file sharing), it does not; in fact, most TorrentLocker infections come through email.” – ESET

“ESET says the people behind TorrentLocker have become remarkably adept at devising spam emails that grab and hold a target's attention; this includes emails about unpaid invoices, traffic violations, andmailed packages with tracking numbers. In most cases, the emails are tailored to a target's home country, making them even more believable.” – ibid

There are roughly 40,000 TorrentLocker victims…570 agreed to pay $500 (in bitcoin). Even an Italian town council paid…Busselino, Italy.

The recommendation is not to pay…even thought there’s no way to decrypt the coding without the promised ‘key’…since you could pay and not get the key.

So, be very careful about those “package delivery” emails from ‘Fedex’ or ‘UPS’…or ones purporting to be from ebay/Amazon or retailers in this holiday season.

Mouse over the url (don’t click on it!) see if it’s really ebay, etc. Make sure the url is an ‘https’.

Source:

https://www.infopackets.com/news/9454/torrentlocker-ransomware-spreading-fast-report