Press Center

Malware and antivirus software


ESET researchers have identified updates to the TorrentLocker crypto-ransomware

Created: 2016-09-01 04:28:59

TorrentLocker, analyzed by ESET in 2014, is still active and, thanks to how it chooses its potential victims with targeted spam, avoids the attention more prominent crypto-ransomware receives. However, ESET researchers have continued to keep their eyes on this malware. 

“The gang behind TorrentLocker still seems to be in the game. They have been improving their tactics and have been slowly innovating this ransomware while trying to stay under the radar,” says Marc-Etienne M. Léveillé, ESET malware researcher. 

TorrentLocker is being distributed via email messages with a page claiming that a "document" (purportedly a bill or a tracking code) should be downloaded. If the malicious “document” is downloaded and opened by the user, TorrentLocker is executed. It starts its communication with the C&C server and encrypts the victim's files. 

A well-known feature of TorrentLocker is how localized the download, ransom and payment pages are. Victims are provided with information in their own languages and in their local currency. 

Improvements in TorrentLocker address the mechanisms protecting internet users in selected countries, i.e. the way TorrentLocker contacts its Command-and-Control servers, protection of the C&C server by an additional layer of encryption, obfuscation and the process of encrypting the users’ files. 

One of CryptoLocker’s notable improved features is the addition of a script into the chain leading to the final malicious executable file. 

“The link in the spam email message now leads to a PHP script hosted on a compromised server. This script checks if the visitor is browsing from the targeted country and, if so, redirects to the page where the next stage of this malware is downloaded. Otherwise, the visitor is redirected to Google,” explains Marc-Etienne M. Léveillé.

In analyzing this malware and its campaigns, ESET researchers found that 22 countries received a localized version of the ransom or payment page. However, 7 of them haven’t been hit so far with any major TorrentLocker spam campaign. They are France, Japan, Martinique, Portugal, Republic of Korea, Taiwan and Thailand.

Details about improvements in the TorrentLocker crypto-malware can be found in analytical article at ESET’s official blog, WeLiveSecurity.

ESET’s tips for protection from ransomware can be found in article 11 things you can do to protect against ransomware


About ESET
ESET®, the pioneer of proactive protection and the maker of the award-winning ESET NOD32® technology, is a global provider of security solutions for businesses and consumers. For over 26 years, the Company continues to lead the industry in proactive threat detection. By obtaining the 80th VB100 award in June 2013, ESET NOD32 technology holds the record number of Virus Bulletin "VB100” Awards, and has never missed a single “In-the-Wild” worm or virus since the inception of testing in 1998. In addition, ESET NOD32 technology holds the longest consecutive string of the VB100 awards of any AV vendor. ESET has also received a number of accolades from AV-Comparatives, AV-TEST and other testing organisations and reviews. ESET NOD32® Antivirus, ESET Smart Security®, ESET Cyber Security® (solution for Mac), ESET® Mobile Security and IT Security for Business are trusted by millions of global users and are among the most recommended security solutions in the world.

ESET recently updated its two-factor authentication (2FA) application, adding a secure validation to weak and static user passwords. This updated version of ESET’s 2FA application provides flexibility and deeper integration of 2FA into bespoke applications, making it the best cost-effective solutions for SMBs everywhere.

The Company has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Jena (Germany), Prague (Czech Republic) and Sao Paulo (Brazil). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Košice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia) and an extensive partner network for more than 180 countries. For more information visit or follow us on Facebook.


About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. Headquartered in Hong Kong, the Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

For more information, please visit or call (65) 6296-4268.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.