Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

Re:How?

I was wondering too, it's in the article "The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file."

Re:How?

[tlhIngan]

This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.

It's really just another form of Dancing Pigs social engineering attack. You give the user a plausible reason for downloading and installing software, and you'll find users go out of t heir way to install it.

Doesn't matter the OS. And it can be anything - be it porn, a "private porn browser" or other such tool and any OS is vulnerable. (Yes, "private porn browser" - download now and browse your porn in privacy and even your wife won't find out...).

Re:Sandbox before browsing

[Le+Marteau]

> I'm running a browser in a VM... What malware?

Your faith in the security of VM sandboxes is misplaced.

It is trivial to write a program which can detect if it is in a VM. And then, attack the hypervisor and escape the protected environment. As virtualization has become more common, such malware has gone from academic exercises to real-world exploits.

http://www.symantec.com/avcent...

My favorite line:

Finally, the most interesting attack that malicious code can perform against a virtual machine emulator is to escape from its protected environment.

With virtualization becoming more and more common

Interesting note about cryptoviruses

[wbr1]

Most are rather dumb. They will encrypt standard file types such as jpg and doc, but leave really critical stuff (qbw, pst, etc) alone. I guess the writers, not knowing what files being encrypted in a user profile might brick a machine only go for easy targets. They will readily encrypt any attached drive as well, following the same ruleset. If your backup program stores in a standard .zip or in the clear, it will be encrypted too. The best safety net is an online backup that does versioning so you can roll back to pre-infection versions of files.

One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.