TorrentLocker ransomware attacks affected 9,415 users in Australia, according to a new report by security vendor ESET.
TorrentLocker is ransomware spread through a spam email. The email has been disguised to look like it comes from a government department in the person’s country and claims that the victim has an unpaid invoice or speeding fine they need to download.
In Australia, some emails claimed to be from the New South Wales Office of State Revenue (see screenshot). The emails include a CAPTCHA image to create a false sense of security.
However, if the victim clicks on the enclosed file to download the invoice or fine, the ransomware encrypts documents, pictures and other files on the user’s PC or device. According to ESET, the victim is asked for 4.081 Bitcoins before they will get access to their files back.
In November 2014, authorities in NSW were warning people to delete fake traffic infringement notices sent to them via email.
The email claimed to be from the NSW Office of State Revenue (OSR) or State Debt Recovery Office (SDRO) and demanded payment for speeding or other traffic infringements. But neither the OSR nor SDRO issue fines and penalty notices via email.
Commenting on the findings, ESET Canada researcher, Marc-Etienne M. Léveillé, said TorrentLocker has infected 40,000 systems and encrypted more than 280 million documents worldwide. At this stage only 570 victims have paid the ransom, earning the attackers an estimated US$585,401 in Bitcoins, he said.
“Attackers have been reacting to online reports about TorrentLocker by defeating indicators of compromise used for detection of the malware and changing the way they use Advanced Encryption Standards [AES] from counter mode [CTR] to cipher block chaining mode [CBC],” Léveillé said in a statement.
This means that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text.
Other countries that proved popular targets of TorrentLocker were Turkey (11,700 infections), Italy (4,576), the Czech Republic (3,420) and the United Kingdom (2,329).
Computerworld Australia has contacted ESET for more information.
Follow Hamish Barwick on Twitter: @HamishBarwick