Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

TorrentLocker Ransomware Helped Cybercriminals Make 810 BTC in One Month

Australia and New Zealand are increasingly targeted with ransomware that’s designed to encrypt files and hold them for ransom, researchers at Trend Micro reported.

File-encrypting ransomware has become highly popular among cybercriminals because it can help them make a lot of money with small effort.

Australia and New Zealand are increasingly targeted with ransomware that’s designed to encrypt files and hold them for ransom, researchers at Trend Micro reported.

File-encrypting ransomware has become highly popular among cybercriminals because it can help them make a lot of money with small effort.

In December, Trend Micro revealed that many users in the Europe-Middle East-Africa (EMEA) region had their computers infected with crypto-ransomware. Now, researchers say cybercriminals have made a lot of money from Australians as well.

Internauts in the Australia and New Zealand (ANZ) region are targeted with a threat called TorrentLocker. The malware is distributed with the aid of spam emails that purport to come from the Australia Post or New South Wales government organizations such as the Office of State Revenue. These messages contain links pointing to legitimate-looking fake websites where users are asked to solve a CAPTCHA before they can download an archive file containing the ransomware from a premium account on the file sharing service SendSpace.

The cybercrooks use a PHP script to make sure each of the download links is different. The fact that a CAPTCHA must be solved before the file is downloaded ensures that email scanners, which can be capable of following links to see if they’re malicious, cannot detect the threat.

Once the malware is executed, it encrypts the victims files using Elliptic Curve Cryptography Encryption and renames them with the .encrypted extension. To prevent the recovery of files from backups, the ransomware uses the vssadmin command to delete shadow copies.

Then, TorrentLocker presents victims with a ransom demand that instructs them to pay AU$598 within 4 days in order to recover the files. The ransom amount can also be displayed in EUR or USD, depending on the victim’s location.

Payment can only be made in Bitcoin and the software that’s used to decrypt the files once the ransom has been paid can only be accessed through the Tor anonymity network.

Advertisement. Scroll to continue reading.

According to Trend Micro, over 98% of these ransomware-spreading spam emails have reached users in Australia.

While experts usually advise ransomware victims not to pay the ransom because there’s no guarantee that the files will be decrypted, many people seem to comply with the cybercrooks’ demands.

By analyzing one of the Bitcoin addresses to which victims are instructed to send the ransom money, researchers have determined that, from November to December, 1,223 transactions had been made, totaling 810 BTC. At today’s exchange rate, this is worth over $220,000, but when the cybercriminals got it last year it was worth even more.

Researchers noted in a blog post that the servers used for command and control (C&C) and the ones hosting the fake websites are located in Russia.

TorrentLocker is not the only successful piece of ransomware currently making the rounds. Last week, Cisco published a detailed analysis of version 2.0 of CryptoWall, a threat that reportedly helped cybercriminals make over $1 million in a six-month period last year.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.