Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.
If you’re a Windows user in Australia who’s had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
TorrentLocker is one of several ransomware threats that have emerged in the wake law enforcement action against CryptoLocker earlier this year.
Like CryptoLocker, TorrentLocker is a shakedown operation, demanding payment of up to $1,500 in Bitcoin to unlock victim’s encrypted files. Whether victims pay depends on how much they value files, which all too often are not backed up.
According to a new research by security vendor ESET, the hackers behind TorrentLocker put extra effort into defrauding Australian computer users via a several bogus websites for Australia Post and the NSW Office of State Revenue used to deliver the malware.
The racketeers’ effort generated 9,415 infections in Australia, which was second only to Turkey’s 11,700 infections. Italy, the UK, the Czech Republic, and Netherlands all had infections of between 4,500 and 2,280 each.
Infections in Turkey and Australia made up half of 39,670 victims ESET identified after gaining access to five different command and control servers used by the hackers to manage payments from victims.
The good news is that it appears few victims actually paid. According to ESET researcher and author of the report, Marc-Etienne M.Léveillé, only 1.44 percent or 577 of the infections translated in to payment for the hackers. Still, based on the Bitcoin exchange rate of US$384.94 on November 29, TorrentLocker’s operators may have earned between anywhere between US$292,700 and US$585,401, according to M.Léveillé.
While ESET can identify the countries victims came from, it can’t say over what period the infections occurred.
“This number (total infections) is from the latest variants and could be from as far back as October. The “snapshot” was taken on November 24th,” M.Léveillé said in an email interview.
However, he added that 2,766 infections happened during the four days immediately before ESET gathered the data, equating to an average of 693 infections per day.
Nor could M.Léveillé say which nations made the payments, however he said 210 of the 577 pages that delivered the decryption software were in English. Based on this, and the fact that Australia accounted for over 20 percent of the total, he believes Australia accounted for a large portion of these.
The large variance in the hacker’s estimated income is due to TorrentLocker’s pricing structure, which demands from victims 1.334 BTC ($760) if it’s paid within a certain period, and 2.668 BTC ($1520) afterwards. ESET doesn’t know the split.
The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file.
Three examples of the topics used in messages to trick victims into opening the file include unpaid invoices, package tracking and unpaid speeding tickets.
“For example, if a victim is believed to be in Australia, fake package tracking information will be sent spoofed to appear as if it comes from Australia Post. The location of the potential victim can be determined by the top level domain used in the e-mail address of the target or the ISP to which it is referring,” ESET notes in its report.
The fake Australian domains the attackers have bought for the campaign include sites that look like the legitimate Australia Post domain austpost.com.au. These are austpost-tracking.com and austpost-tracking.org. Domains they have acquired to appear like the NSW Office of State Revenue’s real domain osr.nsw.gov.au include the bogus domains nsw-gov.net and osr-nsw-gov.net.
Besides encrypting victims files, TorrentLocker’s “side task” is to steal the address book from email clients on the infected machine and contains code that enables this feature for Thunderbird, Outlook, Outlook Express and Windows Mail. As ESET notes, address books become useful for the next spam campaign.
Dhe details ESET has gathered are courtesy of an error made by TorrentLocker’s operators. The researchers figured out the user code generated for each victim — used by TorrentLocker’s operators to determine if a victim is legitimate — is predictable. This allowed them to reverse engineer how the servers generated the URLs for payment pages and from there to discover the country of each victim, the number of files encrypted and the ransom demanded for each victim.
So what happened with the 98.6 percent of victims who didn’t pay the ransom? M.Léveillé guessed their files are still locked.
“It’s unlikely that they decrypted the files. However, they could restore from an external offline backup, making TorrentLocker ineffective in this case,” he told CSO.com.au.
ESET has been unable to find a weakness in the encryption that TorrentLocker users in order that would allow it to create a decryption tool.
“Recent variants of TorrentLocker use AES-256 in CBC mode to encrypt the files on the infected system, attached storage such as USB flash drives and any network drives they can enumerate. It also encrypts the randomly generated AES key with a 2048-bit RSA public key (hardcoded in the malware) before it is sent to the C&C server and appended to the encrypted file,” M.Léveillé noted in a blog.
ESET researchers also found links to between TorrentLocker and the Hesperbot banking trojan that also landed a relatively high number of Australian victims. Besides the two families of malware having the same victims (Turkey, Czech Republic and Australia), they share common elements to the URLs used to distribute the malware, and share the same C&C servers.
This article is brought to you by Enex TestLab, content directors for CSO Australia.