At McAfee we see waves of new ransomware just about every week, with most popular families spreading via spam, exploit kits, and other methods. Recently we detected a new campaign using the brand of Endesa, Spain’s largest electric utility. The threat arrived in a Spanish-language spam email that appeared to contain an invoice for the victim.
The email includes a link to the fake invoice from a subdomain that appears to be part of Endesa.
The bad guys have actually registered a domain that is similar to the real Endesa domain.
The group behind this campaign has registered several subdomains; we have detected some of them:
All the domains were registered on the same day we discovered them, so we can tell they are all used by this campaign.
The sample is executed by wscript and downloads the ransomware executable.
The downloaded ransomware is TorrentLocker, which after execution displays the ransom note with instructions. TorrentLocker uses the same control server as always.
In the ransom note, the victim finds his or her user code and user password. After the victim enters the user data, the ransomware provides further details for payment.
Our analysis found that no one had yet paid using the Bitcoin address.
As always, TorrentLocker uses a strong social engineering element in this campaign, employing Endesa’s well-known brand to spread malware. As we have seen in the Correos campaign that targeted Spain, Italy, and other countries, the bad guys behind TorrentLocker are using similar domains to spread these malicious binaries.
We recommend that McAfee customers apply the countermeasures we discuss in our report Combating Ransomware.
Hashes for indicators of compromise used in this analysis: