A new ransomware campaign is being mounted by cyber-criminals impersonating Telia, the Nordic telecom giant with operations in Europe and Asia.
Telia has hundreds of millions of customers who could all become targets for the attack, which, according to Heimdal Security, is a highly targeted campaign using a mix of attack vectors.
Victims are first baited with a link to an invoice which appears to come from Telia, a trusted telecom company. The primary target for the attack is Sweden, but additional campaigns may follow, replicating the same model.
Once the victim triggers the infection, the attack unfolds. When the victim clicks the link, he/she will be redirected to the webpage where a Captcha code is displayed. When the victim fills out the code, the TorrentLocker payload will be downloaded.
“The Torrentlocker family is well known for its highly targeted spam email campaigns,” said Heimdal Security researcher Andra Zaharia, in an analysis. “Attackers carefully localize the emails, ransom notes and other elements tied to the campaign. The more targeted the attack, the higher the chances for it to be effective.”
Interestingly, the payload is only downloaded if the victim’s IP is from Sweden. If an IP from another country is used, the victim will be redirected to Google.
The moment the malicious code is run, it will connect to a central C & C server and register the infected computer and the data harvested from it, which includes certificates from the infected device. Available contact details on the device will also be collected and sent to the aforementioned C&C server, certainly to be used in future spam campaigns.
The next step is for TorrentLocker to encrypt all the data files available on the local drive and on connected network drives, if there are any. Victims are extorted to pay approximately 1.15 Bitcoins, which is worth around 4099 SEK (441 EUR). There’s a time limit for the payment, which, if surpassed, will double the ransom value.
“We can’t emphasize this enough: a backup is the best protection for your data in case of a ransomware attack,” said Zaharia. “Actually, you should have multiple backups. We have a long road ahead when it comes to minimizing the impact of ransomware, which is one more reason to push for basic cybersecurity education and proactive protection.”
She added, “Spoofing the identities of big, respected companies is a key tactic that cyber criminals use to trick their victims. We’ve seen it happen with IKEA and especially Post Denmark and Portnord. And we’ve seen not once, not twice, but tens of times in the past year alone.”
Photo © Carlos Amarillo