TorrentLocker, also known as Cryptolocker, was a notorious variant of ransomware that targeted Windows users back in 2014.  Thanks to awareness articles and security updates, the ransomware slowly became less effective and was largely abandoned back in 2015.   Unfortunately, it appears that the outdated malware has been updated with a bevy of new features and is currently making rounds once more.

Most people are aware of how ransomware functions at this point.  Malware is downloaded to a user’s computer, either through user error or a targeted attack.  Once installed, the ransomware locks a user out of any of their normal computer functions; many variants go the extra mile and encrypt all user files.  Ransomware is a popular extortion tactic because in order to regain control of the infected system, a user has to give into the demands of the attacker, usually by transferring a sum of bitcoin currency.

The newly discovered version of TorrentLocker goes beyond its original program and has become an even more dangerous version of the malware.  Like many ransomware variants, TorrentLocker is initially spread through email attachments.  In this case, TorrentLocker typically spreads through the use of macros embedded in Microsoft Word documents.  When a user attempts to open the document, they will receive a message that the document is unreadable unless they “Enable Editing”.  If the user enables the feature, the payload will activate and the ransomware will be downloaded and installed.  This is where things start to differ from most ransomware.  TorrentLocker keeps certain system functionality operational during in the infection process.  Once installed, TorrentLocker will start to seek out any shared network files.  If it finds any, it will attempt to duplicate itself on the shared network, allowing the ransomware to potentially spread to every system with network access.

While potentially locking down an entire office network of computers is bad enough, TorrentLocker has one more disastrous tool in its tool belt.  Once a computer is infected, the malware will also begin to scan for any saved usernames and passwords.  If the infected computer is not disconnected from the internet, these stolen user credentials are sent back to the malware author.  Depending on the security level of the office and susceptibility of its office workers, this means that entire businesses can be shut down in a matter of minutes.

Security researches have noted that the majority of cases of the new TorrentLocker ransomware have been located in Europe with the bulk of attacks centralized to Italy.  That said, malware has no borders and if the attack campaign continues to be a success, it is very likely that it will spread to other countries as well.

Decryption tools currently exist for the old version of TorrentLocker, but they are largely untested for the latest update.  For this reason, precaution is still the best defense.  If you encounter a suspicious email, do your part to report it and remember, never open attachments from unknown senders.