CIO

​AFP, Australia Post targeted by crypto-ransomware

TorrentLocker, first analysed by ESET in 2014, is still very active

The Australian Federal Police and Australia Post are among several organisations across 22 countries that have been targeted by TorrentLocker, a crypo-ransomware that spreads via spam messages.

ESET researchers on Friday said they have examined samples of this malware – first analysed in 2014 – in the past months and discovered it is still active due to how it chooses potential victims with targeted spam and avoids attention.

TorrentLocker impersonates local postal service, energy or telecom companies and displays a page claiming that a “document” (purportedly a bill of tracking code) should be downloaded. If a malicious document is downloaded and opened by the user, TorrentLocker is executed.

The download, ransom and payment pages are highly localised, using the user’s own language and currency.

Fake download page for the Australian Federal Police

Modifications in the recent TorrentLocker variants address the mechanisms protecting internet users in selected countries, i.e, the way TorrentLocker contact its command and control servers, protection of the server by an additional layer of encryption, obfuscation and the process of encrypting user’s files, ESET said.

“These newer TorrentLocker variant have really upped the ante,” said Nick FitzGerald, ESET senior research fellow.

“Earlier variants, just like crypto-ransomware, encrypted files of specific types, as determined by their filename extension. The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted.

“This new approach to encrypting nearly all files on a system will have ramifications for the kind of backups needed to properly restore a system that has been encrypted by TorrentLocker.”

FitzGerald advised that unexpected offers, and especially claims of criminal behaviour, received via email should be treated with great skepticism.

"Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email," he said.