TorrentLocker is a ransomware that has been around since August of 2014, but had its greatest distribution in early to mid 2015.  With its largest distribution campaigns targeting Netherlands, Italy, and Australian victims, TorrentLocker was quickly overshadowed by ransomware infections such as CryptoWall and TeslaCrypt.

It comes as a surprise that we see a new campaign and variant of TorrentLocker that encrypts victim's files with the .ENC extension. First spotted by Emsisoft security researcher xXToffeeXx, this partcular distribution campaign is using SPAM emails that pretend to be bills from the Italian energy company Enel.  These emails will contain an attachment called ENEL_BOLLETA.zip, which contains a JS file called ENEL_BOLLETA.js.

 

ENEL_BOLLETTA.ZIP File
ENEL_BOLLETTA.ZIP File

When the JS file is executed, it will download the TorrentLocker executable, save it to the %Temp% folder, and execute it.  Once executed, it will encrypt the computer's data and append the .ENC extension to encrypted files as shown below.

Encrypted Files
Encrypted Files

It will then display a random named ransom note that provides instructions on how to access the TorrentLocker payment site.

Ransom Note
Ransom Note

While this particular sample seems to be targeting Italian victims, there are most likely other campaigns targeting other countries. If anyone knows of country specific campaigns, please let me know.