The Swiss Government posted on January 21st, 2016 posted this information, with the title “TorrentLocker Ransomware targeting Swiss Internet Users”.

What is different about this early 2016 attack is that the infection does not come from an infected file, but from a realistic looking website and a common web form protection tool called a CAPTCHA. Here is an excerpt from the document:

“Unlike real captchas, the captcha on the TorrentLocker site is hardcoded in the PHP script and is always the same. The reason why the TorrentLocker gang uses such a captcha is unknown, but we assume that they take advantage of such a (rather simple) captcha to avoid that spam filters and similar security devices can pull the malware down and analyze it in an automated way.

To make sure that the victim opens the email and clicks on the link presented in the spam email, the TorrentLocker gang uses some localized themes of the targeted country. In the recent TorrentLocker spam campaigns we have seen against Swiss internet users, the spam emails are written in German and pretend to come from the Swiss Federal Police (Bundesamt für Polizei), telling that there is a court case being opened against the recipient and offering a download-link to see the documentation. Furthermore, the recipient is asked to provide documents to the court.”

 

Swiss fake site with infected CAPTCHA process.

torrentlocker_site_20160120

Here is the link to the full document:

https://www.govcert.admin.ch/blog/17/torrentlocker-ransomware-targeting-swiss-internet-users