Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

TorrentLocker Ransomware Helped Cybercriminals Make 810 BTC in One Month

Australia and New Zealand are increasingly targeted with ransomware that’s designed to encrypt files and hold them for ransom, researchers at Trend Micro reported.

File-encrypting ransomware has become highly popular among cybercriminals because it can help them make a lot of money with small effort.

Australia and New Zealand are increasingly targeted with ransomware that’s designed to encrypt files and hold them for ransom, researchers at Trend Micro reported.

File-encrypting ransomware has become highly popular among cybercriminals because it can help them make a lot of money with small effort.

In December, Trend Micro revealed that many users in the Europe-Middle East-Africa (EMEA) region had their computers infected with crypto-ransomware. Now, researchers say cybercriminals have made a lot of money from Australians as well.

Internauts in the Australia and New Zealand (ANZ) region are targeted with a threat called TorrentLocker. The malware is distributed with the aid of spam emails that purport to come from the Australia Post or New South Wales government organizations such as the Office of State Revenue. These messages contain links pointing to legitimate-looking fake websites where users are asked to solve a CAPTCHA before they can download an archive file containing the ransomware from a premium account on the file sharing service SendSpace.

The cybercrooks use a PHP script to make sure each of the download links is different. The fact that a CAPTCHA must be solved before the file is downloaded ensures that email scanners, which can be capable of following links to see if they’re malicious, cannot detect the threat.

Once the malware is executed, it encrypts the victims files using Elliptic Curve Cryptography Encryption and renames them with the .encrypted extension. To prevent the recovery of files from backups, the ransomware uses the vssadmin command to delete shadow copies.

Then, TorrentLocker presents victims with a ransom demand that instructs them to pay AU$598 within 4 days in order to recover the files. The ransom amount can also be displayed in EUR or USD, depending on the victim’s location.

Payment can only be made in Bitcoin and the software that’s used to decrypt the files once the ransom has been paid can only be accessed through the Tor anonymity network.

According to Trend Micro, over 98% of these ransomware-spreading spam emails have reached users in Australia.

While experts usually advise ransomware victims not to pay the ransom because there’s no guarantee that the files will be decrypted, many people seem to comply with the cybercrooks’ demands.

By analyzing one of the Bitcoin addresses to which victims are instructed to send the ransom money, researchers have determined that, from November to December, 1,223 transactions had been made, totaling 810 BTC. At today’s exchange rate, this is worth over $220,000, but when the cybercriminals got it last year it was worth even more.

Researchers noted in a blog post that the servers used for command and control (C&C) and the ones hosting the fake websites are located in Russia.

TorrentLocker is not the only successful piece of ransomware currently making the rounds. Last week, Cisco published a detailed analysis of version 2.0 of CryptoWall, a threat that reportedly helped cybercriminals make over $1 million in a six-month period last year.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.