Over 9,000 PCs in Australia infected by TorrentLocker ransomware

Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.

If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

TorrentLocker is one of several ransomware threats that have emerged in the wake law enforcement action against CryptoLocker earlier this year.

Like CryptoLocker, TorrentLocker is a shakedown operation, demanding payment of up to $1,500 in Bitcoin to unlock victim’s encrypted files. Whether victims pay depends on how much they value files, which all too often are not backed up.

According to a new research by security vendor ESET, the hackers behind TorrentLocker put extra effort into defrauding Australian computer users via a several bogus websites for Australia Post and the NSW Office of State Revenue used to deliver the malware.

The racketeers’ effort generated 9,415 infections in Australia, which was second only to Turkey’s 11,700 infections. Italy, the UK, the Czech Republic, and Netherlands all had infections of between 4,500 and 2,280 each.

Infections in Turkey and Australia made up half of 39,670 victims ESET identified after gaining access to five different command and control servers used by the hackers to manage payments from victims.

The good news is that it appears few victims actually paid. According to ESET researcher and author of the report, Marc-Etienne M.Léveillé, only 1.44 percent or 577 of the infections translated in to payment for the hackers. Still, based on the Bitcoin exchange rate of US$384.94 on November 29, TorrentLocker’s operators may have earned between anywhere between US$292,700 and US$585,401, according to M.Léveillé.

While ESET can identify the countries victims came from, it can’t say over what period the infections occurred.

“This number (total infections) is from the latest variants and could be from as far back as October. The “snapshot” was taken on November 24th,” M.Léveillé said in an email interview.

However, he added that 2,766 infections happened during the four days immediately before ESET gathered the data, equating to an average of 693 infections per day.

Nor could M.Léveillé say which nations made the payments, however he said 210 of the 577 pages that delivered the decryption software were in English. Based on this, and the fact that Australia accounted for over 20 percent of the total, he believes Australia accounted for a large portion of these.

The large variance in the hacker’s estimated income is due to TorrentLocker’s pricing structure, which demands from victims 1.334 BTC ($760) if it’s paid within a certain period, and 2.668 BTC ($1520) afterwards. ESET doesn’t know the split.

The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file.

Three examples of the topics used in messages to trick victims into opening the file include unpaid invoices, package tracking and unpaid speeding tickets.

“For example, if a victim is believed to be in Australia, fake package tracking information will be sent spoofed to appear as if it comes from Australia Post. The location of the potential victim can be determined by the top level domain used in the e-mail address of the target or the ISP to which it is referring,” ESET notes in its report.

The fake Australian domains the attackers have bought for the campaign include sites that look like the legitimate Australia Post domain austpost.com.au. These are austpost-tracking.com and austpost-tracking.org. Domains they have acquired to appear like the NSW Office of State Revenue’s real domain osr.nsw.gov.au include the bogus domains nsw-gov.net and osr-nsw-gov.net.

Besides encrypting victims files, TorrentLocker’s “side task” is to steal the address book from email clients on the infected machine and contains code that enables this feature for Thunderbird, Outlook, Outlook Express and Windows Mail. As ESET notes, address books become useful for the next spam campaign.

Dhe details ESET has gathered are courtesy of an error made by TorrentLocker’s operators. The researchers figured out the user code generated for each victim — used by TorrentLocker’s operators to determine if a victim is legitimate — is predictable. This allowed them to reverse engineer how the servers generated the URLs for payment pages and from there to discover the country of each victim, the number of files encrypted and the ransom demanded for each victim.

So what happened with the 98.6 percent of victims who didn’t pay the ransom? M.Léveillé guessed their files are still locked.

“It’s unlikely that they decrypted the files. However, they could restore from an external offline backup, making TorrentLocker ineffective in this case,” he told CSO.com.au.

ESET has been unable to find a weakness in the encryption that TorrentLocker users in order that would allow it to create a decryption tool.

“Recent variants of TorrentLocker use AES-256 in CBC mode to encrypt the files on the infected system, attached storage such as USB flash drives and any network drives they can enumerate. It also encrypts the randomly generated AES key with a 2048-bit RSA public key (hardcoded in the malware) before it is sent to the C&C server and appended to the encrypted file,” M.Léveillé noted in a blog.

ESET researchers also found links to between TorrentLocker and the Hesperbot banking trojan that also landed a relatively high number of Australian victims. Besides the two families of malware having the same victims (Turkey, Czech Republic and Australia), they share common elements to the URLs used to distribute the malware, and share the same C&C servers.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Join the CSO newsletter!

Error: Please check your email address.

Tags dataaustpost.com.auPC's infectedNSW Office of State RevenueHesperbotTorrentLocker ransomwarecybercriminalsesettrojanmalwareCSO AustraliaBitcoinMarc-Etienne M.LéveilléEnex TestLab

More about Australia PostBTCCBCCSOEnex TestLabRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts