An ongoing campaign of systematic deception helped malware perpetrators flood Australian email addresses in May with twice as many TorrentLocker ransomware victims in Australia as the rest of the world combined, a new [[xref:http://documents.trendmicro.com/assets/wp/1h-2015-torrentlocker-landscape.pdf |Trend Micro analysis]] has found.
The company's analysis of spam traffic, between April 29 and May 19, found that 66.62 percent of spam recipients were located in Australia – well ahead of second-place Spain (23.48 percent) and the United States (3.99 percent).
An analysis of embedded URLs reinforced these figures, with 63 percent of URLs embedded in emails pointing to malicious destinations where infection with TorrentLocker ransomware awaited.
Ransomware authors were evading defences such as spam filters by targeting only legitimate email accounts, IP reputation filters by using compromised, legitimate Web servers instead of botnets, and automated sandbox analysis by using CAPTCHA fields to confirm that a human is using infected computers.
Noting the surge in ransomware attempts emulating Australian Federal Police traffic infringement notices, that analysis found that attackers were carefully timing delivery to maximise effectiveness, using a “carefully selected address list” with less than a 1% failure rate, and using DKIM and SPF email authentication to bypass spam filters.
Messages alleged some sort of urgency, paired with convincingly crafted landing pages, to convince users to click and inadvertently compromise their systems with the malware.
Trend Micro's analysis of campaign effectiveness suggested that the most effective campaign had been the Australian Federal Police notices alleging a traffic infringement notice: some 57.9 percent of visits to the spoofed sites came from Australia, with Spain also showing strong susceptibility (33.6 percent of visits) to a Spanish-language analogue.
Australian organisations' strong demonstrated susceptibility to ransomware campaigns made it imperative that organisations of all sizes step up their user education and technological defences against the attacks, the analysis recommended.
With TorrentLocker now targeting more of the enterprise segment, it is more important than ever to enforce user education about the threat,” it advises, noting that this includes “how to know if an infection is present, and what type of security measures should be enforced.
“Having a file backup strategy for both consumers and enterprises is equally important,” it added. “TorrentLocker and other types of ransomware heavily bank on users’ vulnerability toward losing control of their files – and thus it is highly valuable to be informed how to deal with backing up.”
The analysis also offers five steps towards protecting against ransomware, including policies limiting the number of people and systems with access privileges for shared data; email monitoring with threat-intelligence capabilities; comprehensive monitoring of network traffic using heuristic, sandbox, and emulation analysis; introduction of next-generation endpoint technologies and use of application whitelisting; and end-user training around avoidance of social-engineering attacks.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?