TorLocker ransomware variant designed to target Japanese users

New file-encrypting ransomware variant is the first to specifically target Japanese users.

Twitter Card Style: 


Ransomware is nothing new to Japan. Symantec’s research has found that Japan ranks among the regions that are the most affected by global ransomware attacks. However, no attacks specifically targeting Japanese users have ever been confirmed. That is, until now. In the recent weeks, Symantec has observed a ransomware variant in the wild that was designed to target users who speak Japanese.

Torlocker 1.png
Figure 1. Ransomware attacks in November 2014 by region

The ransomware threat in question is a localized variant of TorLocker. The malware encrypts files with certain file extensions on the compromised computer and demands that the user pays in order to decrypt the files. Symantec has confirmed multiple variants of this particular Japanese ransomware threat.

TorLocker has been used in ransomware attacks around the world. The threat is part of an affiliate program, where the program’s operator gives participants the builder to create custom ransomware, access to the TorLocker control panel to track infections, and miscellaneous files to be used in conjunction with the malware. In return, the participants give a portion of the profit from the attack to the affiliate program’s operator.

The localized variant’s attacks on Japanese users have occurred on compromised websites that commonly host blogs. However, it is also possible that the attacker is renting an exploit kit to automatically compromise victims’ computers by exploiting software vulnerabilities. In one case, a recently compromised site owned by a Japanese publishing company redirected traffic to several domains hosting the Rig exploit kit. This may have ultimately served the ransomware as a payload.

In another case in late November, a blog site was compromised to display a fake Adobe Flash Player installer page.

Torlocker 2.png
Figure 2. Fake Adobe Flash Player installer page

If the user clicks on the yellow install button, they are prompted to download and execute a setup file to install the plugin. However, the file does not contain the typical icon used in Flash Player installers. The file is not digitally signed either, which suggests that the installer is a phony.

Torlocker 3.png
Figure 3. Icon of the installer downloaded from the fake Flash Player page

Once the setup file is executed, it does not install Flash Player. Instead, it encrypts certain files and displays a message in Japanese in popup window, stating that the computer has been locked. The message then asks the user to pay in order to unlock their files. The demanded ransom ranges from 40,000 yen to 300,000 yen (approximately US$500 to US$3,600).

Figure 4. Pop-up window of the TorLocker ransomware variant targeting Japanese-speaking users

Stay protected
Japan is approaching its week-long New Year holiday. The long break is a perfect opportunity for the attacker to perform its campaign, as many users will likely surf the internet during the time off. Symantec has the following recommendations to avoid or mitigate ransomware infections:

  • Update the software, operating system, and browser plugins on your computer to prevent attackers from exploiting known vulnerabilities.
  • Use comprehensive security software, such as Norton Security, to protect yourself from cybercriminals.
  • Regularly back up any files stored on your computer. If your computer has been compromised with ransomware, then these files can be restored once the malware is removed from the computer.
  • Never pay the ransom. There’s no guarantee that the attacker will decrypt the files as promised once they receive payment.

Symantec and Norton products detect all of the ransomware variants discussed in this blog as Trojan.Cryptlocker.

Leave a Reply