TorrentLocker is a ransomware family identified in 2014 and commonly mistaken for CryptoLocker; the provided content explicitly notes that infections presenting themselves as CryptoLocker were often actually TorrentLocker rather than the original CryptoLocker. It encrypts victims’ documents and demands payment in Bitcoin. Reported campaigns used spam messages containing links to phishing pages that impersonated postal or package-tracking services. In Australia, operators used fake Australian Post tracking pages, and in the United Kingdom they used fake Royal Mail tracking pages. The UK phishing pages required a CAPTCHA, then delivered a ZIP archive containing the executable payload; access to the malicious page was restricted to UK IP addresses, while non-UK visitors were redirected to google.com. The ransomware demanded 350 GBP within 72 hours or 700 GBP afterward, corresponding in one report to 1.19 BTC or 2.38 BTC. Its payment infrastructure was hosted as a Tor hidden service, with Tor2Web links provided to victims. The malware was named TorrentLocker because it stored settings in the Windows registry under the “Bit Torrent Application” key, although it is unrelated to the BitTorrent protocol. The content also states that Nymaim originally functioned as a dropper used to distribute TorrentLocker in 2013. Spamhaus reporting cited TorrentLocker as one of the prominent ransomware families with botnet controller activity in 2016, but not among the top 20 in 2017. High-confidence indicators mentioned in the content include malicious domains royalmail-tracking.info, royalmail-tracking.biz, and royalmail-tracking.org; Bitcoin addresses 15aBFwoT5epvRK69Zyq7Z7HMPS7kvBN8Fg and 13qm2ezhWSHWzMsGcxtKDhKNnchfP5Sp3X; onward-transfer wallet 17gH1u6VJwhVD9cWR59jfeinLMzag2GZ43; and sample SHA-1 hashes 491C8276667074B502BD98B98C74E4515A32189B, 46A2426D7E062E76D49707B58A5DF28547CBC0F4, and 7C62651C5F4CB1C780C8E9C4692F3BF24208A61E. ESET detections cited in the content are Win32/Filecoder.NCC and Win32/Injector.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Spamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers... These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data.
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
TorrentLocker is referenced as the ransomware payload distributed by early Nymaim infections.
A ransomware family referenced as having been widespread in 2016 but no longer in the top 20 by 2017.
Named as an example of ransomware with associated payment-site infrastructure.
Ransomware family associated with botnet controllers; explicitly cited as part of the ransomware growth in 2016.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.