TorrentLocker Ransomware Helped Cybercriminals Make 810 BTC in One Month

Australia and New Zealand are increasingly targeted with ransomware that’s designed to encrypt files and hold them for ransom, researchers at Trend Micro reported.

File-encrypting ransomware has become highly popular among cybercriminals because it can help them make a lot of money with small effort.

In December, Trend Micro revealed that many users in the Europe-Middle East-Africa (EMEA) region had their computers infected with crypto-ransomware. Now, researchers say cybercriminals have made a lot of money from Australians as well.

Internauts in the Australia and New Zealand (ANZ) region are targeted with a threat called TorrentLocker. The malware is distributed with the aid of spam emails that purport to come from the Australia Post or New South Wales government organizations such as the Office of State Revenue. These messages contain links pointing to legitimate-looking fake websites where users are asked to solve a CAPTCHA before they can download an archive file containing the ransomware from a premium account on the file sharing service SendSpace.

The cybercrooks use a PHP script to make sure each of the download links is different. The fact that a CAPTCHA must be solved before the file is downloaded ensures that email scanners, which can be capable of following links to see if they’re malicious, cannot detect the threat.

Once the malware is executed, it encrypts the victims files using Elliptic Curve Cryptography Encryption and renames them with the .encrypted extension. To prevent the recovery of files from backups, the ransomware uses the vssadmin command to delete shadow copies.

Then, TorrentLocker presents victims with a ransom demand that instructs them to pay AU$598 within 4 days in order to recover the files. The ransom amount can also be displayed in EUR or USD, depending on the victim’s location.

Payment can only be made in Bitcoin and the software that’s used to decrypt the files once the ransom has been paid can only be accessed through the Tor anonymity network.

According to Trend Micro, over 98% of these ransomware-spreading spam emails have reached users in Australia.

While experts usually advise ransomware victims not to pay the ransom because there’s no guarantee that the files will be decrypted, many people seem to comply with the cybercrooks’ demands.

By analyzing one of the Bitcoin addresses to which victims are instructed to send the ransom money, researchers have determined that, from November to December, 1,223 transactions had been made, totaling 810 BTC. At today’s exchange rate, this is worth over $220,000, but when the cybercriminals got it last year it was worth even more.

Researchers noted in a blog post that the servers used for command and control (C&C) and the ones hosting the fake websites are located in Russia.

TorrentLocker is not the only successful piece of ransomware currently making the rounds. Last week, Cisco published a detailed analysis of version 2.0 of CryptoWall, a threat that reportedly helped cybercriminals make over $1 million in a six-month period last year.