Slashdot Mirror
Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware
First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.
If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
http://dragonball.wikia.com/wi...!
So, like half?
I was wondering too, it's in the article "The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file."
Sad, but true. All software has bugs. Some of them are in your browser.
(Windows does tend to have more (exploited) holes than most, 'tho)
This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
... except when your application(s) and OS hide file extensions making it difficult for people to see it's an "exe".
(But yes, people are dumb.)
I'm surprised people are still gullible enough to click on links and attachments in emails, but apparently some still are. This is a pretty good explanation of the attack vector: https://www.youtube.com/watch?v=dQw4w9WgXcQ
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
As computer files become more valuable to ordinary people (rather than just IT geeks and businesses), backup plans become more important.
Most general users don't do this, but as the data becomes more damaging if it's lost, encrypted or maliciously destroyed, they may need some sort of solution.
Even a pretty sophisticated ransom-ware would have a hard time if you take an occasional backup and check it by restoring/reading the file on another machine.
We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again. I do not comprehend why the "partial" sandbox of existing browsers is considered to offer protection. Full sandboxing is the only way to do so. Nothing short of a full sandbox is safe. The sandbox in 360 Total Security looks promising also. But, it needs to be selected from the right mouse click menu, when clicking on the browser icon. My experience is that people get lax and won't do this all the time. Of course, if someone uses a cloud backup service, like Carbonite, they can clean the viruses on the PC and then restore their files as long as their cloud files are not encrypted also.
You missed out one bit, the critical part, the ability to get away with the crime, bitcoins seem to have found their true market, criminal enterprise. Interesting side note the same countries were targeted each time and a very unlikely set, it would seem the logical relationship between the perpetrators in each targeted location would be a family relationship. There really isn't all that much secrecy in bit coins like anything else digitally transmitted across the internet bit coins have a recognisable bitmap and there movement can be readily traced.
Chaos - everything, everywhere, everywhen
Except that if the victims do even the sightest research (say, oh, I don't know... a "Google" perhaps) and find that NO ONE is getting the key (or, conversely, that keys are being given for the ransom)... You think THAT might give the hackers incentive? Keeping the gravy train running? For the price of an emailed key, to keep those hundreds of thousands of dollars flowing in?
Fucking derp.
You don't need to hide the .exe extension. People will click on it anyway if they believe they have something to gain or something to lose.
It's really just another form of Dancing Pigs social engineering attack. You give the user a plausible reason for downloading and installing software, and you'll find users go out of t heir way to install it.
Doesn't matter the OS. And it can be anything - be it porn, a "private porn browser" or other such tool and any OS is vulnerable. (Yes, "private porn browser" - download now and browse your porn in privacy and even your wife won't find out...).
The software pretends to be from the post office and asks a use to execute an executable that is thought to be some sort of package tracking program.
Since the logos and other stuff all match up with the real post office's stuff, many users are tricked into believing that it is indeed some legit executable.
As usual humans are the weakest link in the chain.
But someone should offer a big reward for cracking this type of ransomware to our more skilled and knowledgable readers....
I've received dozens of these. All via hijacked SMTP hosts.
The interesting thing is that all are plain-text with the attachment. The attachment is only few kilobytes long. No HTML, no javascript, nothing. Even more telling was that they came in batches of about 5. I'd start my day with about 5 in my inbox that all arrived within few minutes of each other; all pretty-much the same. Then nothing all day until the next morning when the same thing happened.
They appear plausible, except the most recent one was "We noticed you haven't collected your tax refund of $few thousand." That's interesting because, in Australia, the ATO sends you a cheque or direct-deposits into your account for you. You don't collect anything. I've had parcel tracking ones, and all manner of other variations. There was one claiming to be a building approval. A "vehicle tax rebate" form. Then a "late fee" for something, etc.
A few years ago I would have expected them to contain some malicious HTML or javascript,to try and force the attachment to execute in outlook. I guess these days most clueless n00bs are using web based mail, which would make that a little more difficult.
It's crap like this that makes me glad I gave my (technology) clueless mother a Linux machine with all the security bells and whistles enabled. I'm sure she got more than her share of these emails, which she can try to run to her heart's content. I'm even more sure that she is the reason I got them (forwarding my mails, or sending mails To: a hundred people).
"Most general users don't do this" How can you even say that. "General users" are the ones who have to format because they get viruses.
They sure as hell know how to backup their stuff, and they've had a lot of practice.
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
Where they talk about targeting Windows boxes both in the editorial and the slashdot post. How refreshing. This publication is mile aheads of the ass-licking Microsoft of Zdnet and pcworld.
According to the image right at the top of the article, there were over 11000 in Turkey. If we're singling out the most infections, that should be the headline. Is Australia somehow more significant?
I would guess that most of those that pay are corporations that actually need that data.
Just clicking on a link should never be enough not matter what you think the "weakness in wetware" is.
That malware then corrupts files in whatever network shares you can attach to from your VM - so congrats, your operating system is safe but your co-workers still get their files stuffed up.
Hopefully it's scaring people into having REAL backups that can't be corrupted without loading/attaching external media or deleting snapshots.
We had two employees access the torrentlocker website, right through out proxy portal with Kaspersky and McAfee running, and they downloaded it to their PCs running McAfee and then ran the bloody thing. By the next morning, we had more than 50000 files encrypted. I spent the next two days scripting deletion and restores across several multi-terabyte file shares. What I REALLY don't get is, why the heck did a known piece of malware like that make it through all of those antivirus/antimalware systems and heuristics and succeed in ruining two perfectly good days? (just ignoring all of the staff downtime).... Anybody?
One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.
Silence is a state of mime.
The main attraction of Bitcoin is that it can't be shut down. Any kind of credit card payment system or Western Union can be shut down easily and then there is no way for them to collect the money.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And still, MS won't make opening something and running something distinctly different actions.
> I've received dozens of these. All via hijacked SMTP hosts.
Any time I see one of these I examine the headers and invariably it is some end user desktop running off of a dynamic IP from some ISP.
A Pirate and a Puritan look the same on a balance sheet.
Those require certain filesystem attributes to be set regardless of what the name on the file is.
On the other hand, if your OS and user shell and email application simply avoid the equivalent of "bash you-don't-know-where-I-came-from.zip", you easily avoid a lot of this nonsense.
You would never consider taking random things you find on the floor or street and putting them in your mouth, but that's exactly what some "modern" software does.
A Pirate and a Puritan look the same on a balance sheet.
"You would never consider taking random things you find on the floor or street and putting them in your mouth"
You clearly don't have kids. Kids don't know better and are curious. Now extend that to every person who doesn't manage computers for a living or as part of their hobby. Interestingly, that includes almost everyone born before 1960 and after about 1995. The younger generation understands computers as little as the elderly - we've simplified the UI to the to the point that they're magic boxes to both age groups.
My 12 yo though her computer was "kind of slow". Turns out, she was out of drive space - filled up the 100GB on the SSD and never even realized it.
Is it just my observation, or are there way too many stupid people in the world?
Very true. I was working in our office in Milan when two users PCs were hit.
Email avoided Barracuda mail firewall device, Sophos on two Excahnge servers, Sophos on the endpoint and Outlook junk-email filters. It also came in through our Cisco firewall with an IDS module.
Email appeared to be a legit email from a logistics company in Italy (in Italian). Only three users out of 60 got the email, those that deal with the company. Two users opened the mail and the attachement.
So, one, it avoided a lots of checking. Secondly it worked very fast. It encrypted hard drives and network drives to the tune of 170k files in a few minutes. Thirdly, seems there were a few critical leaks of email databases (corroborated by the IT manager having spoken with her former colleagues and they had a similar problem only a few days before hand). Lastly, it seems that the attack was highly targetted.
Backup procedures are heavilty audited in our company and the Italian IT backup nightly and test restores daily. It took a while to load data from the tapes, but within 24 hours, all network data was restored with only a few files (those created that day) lost. Pc files lost amount to a few inconsequential files, plus lots of personal photos that the users had been warned NOT to store on company IT equipement.
Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
So on Linux, this malware can install itself without asking for a password?
I don't read your sig. Why are you reading mine?
On Windows 8.1, using IE [non-Metro], just visiting a website using the default configuration for security settings, lets it display the drivers that are installed, with version numbers, which presumably could also be uploaded to the server, without needing further interaction with the user [after clicking a link to go to that page].
You might as well just have the web browser directly publish the vulnerabilities...
Sleep your way to a whiter smile...date a dentist!
I don't think young people are *that* bad. When we were kids, only people that could understand the lower level operation of a computer could use one, because there was no "high level" interface, i.e. they were not user-friendly. Since modern computers are relatively friendly and they are more useful to your average person now (the web, social platforms, etc.), you have many more people from *all* generations using computers. There are probably more young people today that understand computers well at a low level than in the past but they are outnumbered by all of their clueless peers, peers that didn't exist when we were kids.
Recently I attempted to download a user manual (pdf) for some old device from a shady website and it ended up having an .exe extension. As it was downloading it popped-up a nice graphic showing me step-by-step how to "view" the document. Which included me clicking on the "document", saying "yes, I'd like to run this" at the first dialog, and then saying "yes, I allow this application to make changes to my computer" at the second dialog. I'm hoping anyone under the age of 60 sees this and laughs whilst deleting the "document" but (most) older people will follow these steps to the letter.
Stupider like a fox! - H.S.
"earned"? Perhaps that would be better expressed as "extorted".
Actually bitcoins can be quite readily shutdown, they can simply be detected and filtered off the internet between points of transmission and either kept or destroyed. Likely to become a growing target of opportunity for corrupt ISP employees or management.
Chaos - everything, everywhere, everywhen
one would assume that had one taken the trouble to sandbox an operating environment to mitigate risk of data corruption by malware, one would also have made sure that no folder shares were available to that sandbox. Your argument is moot.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Most small businesses are incorporated.