Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

Posted by samzenpus on from the cash-for-corrupted-computers dept.

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.

7 of 83 comments (clear)

  1. Sandbox before browsing by ITRambo · · Score: 2, Interesting

    We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again. I do not comprehend why the "partial" sandbox of existing browsers is considered to offer protection. Full sandboxing is the only way to do so. Nothing short of a full sandbox is safe. The sandbox in 360 Total Security looks promising also. But, it needs to be selected from the right mouse click menu, when clicking on the browser icon. My experience is that people get lax and won't do this all the time. Of course, if someone uses a cloud backup service, like Carbonite, they can clean the viruses on the PC and then restore their files as long as their cloud files are not encrypted also.

  2. Re:Backups solve much of the problem: by Anonymous Coward · · Score: 3, Interesting

    Word.

    Posting Anon because I'm embarressed, but our business got hit hard by a rootkit two weeks ago (not TorrentLocker). Proved damn near impossible to get rid of.

    In the end we erased the physical desktops and rolled all the VM's back to our August DR backup. Fortunately all our work is done in VM's and we backed up data offsite religiously (with version histories).

    So we had a shitty virus protection policy but were saved by good backups.

    We now have WebRoot rolled out via group policy, firewalls, windows update and defender are enforced by same. I've added a task to randomly picking a VM to boot scan via a KAS rescue disk once a week.

  3. Re:How? by thegarbz · · Score: 4, Interesting

    You don't need to hide the .exe extension. People will click on it anyway if they believe they have something to gain or something to lose.

  4. Re:How? by Anonymous Coward · · Score: 4, Interesting

    I've received dozens of these. All via hijacked SMTP hosts.

    The interesting thing is that all are plain-text with the attachment. The attachment is only few kilobytes long. No HTML, no javascript, nothing. Even more telling was that they came in batches of about 5. I'd start my day with about 5 in my inbox that all arrived within few minutes of each other; all pretty-much the same. Then nothing all day until the next morning when the same thing happened.

    They appear plausible, except the most recent one was "We noticed you haven't collected your tax refund of $few thousand." That's interesting because, in Australia, the ATO sends you a cheque or direct-deposits into your account for you. You don't collect anything. I've had parcel tracking ones, and all manner of other variations. There was one claiming to be a building approval. A "vehicle tax rebate" form. Then a "late fee" for something, etc.

    A few years ago I would have expected them to contain some malicious HTML or javascript,to try and force the attachment to execute in outlook. I guess these days most clueless n00bs are using web based mail, which would make that a little more difficult.

    It's crap like this that makes me glad I gave my (technology) clueless mother a Linux machine with all the security bells and whistles enabled. I'm sure she got more than her share of these emails, which she can try to run to her heart's content. I'm even more sure that she is the reason I got them (forwarding my mails, or sending mails To: a hundred people).

  5. Re:Why single out Australia? by dwywit · · Score: 3, Interesting

    We care about you, too. Seriously - the support from other countries during the recent tragedy in Sydney is very much appreciated.

    --
    They sentenced me to twenty years of boredom
  6. Company I work for got hit... by felixrising · · Score: 4, Interesting

    We had two employees access the torrentlocker website, right through out proxy portal with Kaspersky and McAfee running, and they downloaded it to their PCs running McAfee and then ran the bloody thing. By the next morning, we had more than 50000 files encrypted. I spent the next two days scripting deletion and restores across several multi-terabyte file shares. What I REALLY don't get is, why the heck did a known piece of malware like that make it through all of those antivirus/antimalware systems and heuristics and succeed in ruining two perfectly good days? (just ignoring all of the staff downtime).... Anybody?

    1. Re:Company I work for got hit... by BitZtream · · Score: 3, Interesting

      Because anyone who has been in IT for any length of time knows McAfee is complete shit? Proxies trying to stop the spread of things distributed by sites that bust their ass to avoid being caught by a blocking proxy?

      I.E. If you DEPEND on anything from a 'security' company like McAfee, Kaspersky, F-secure, whoever ... you've already failed. Those are backups that hopefully help to catch the things that the user didn't.

      Your first and only REAL line of defense is the user and proper administration like only letting people access files they NEED to access.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager