Slashdot Mirror
Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware
First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.
If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
http://dragonball.wikia.com/wi...!
I was wondering too, it's in the article "The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file."
This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
... except when your application(s) and OS hide file extensions making it difficult for people to see it's an "exe".
(But yes, people are dumb.)
As computer files become more valuable to ordinary people (rather than just IT geeks and businesses), backup plans become more important.
Most general users don't do this, but as the data becomes more damaging if it's lost, encrypted or maliciously destroyed, they may need some sort of solution.
Even a pretty sophisticated ransom-ware would have a hard time if you take an occasional backup and check it by restoring/reading the file on another machine.
We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again. I do not comprehend why the "partial" sandbox of existing browsers is considered to offer protection. Full sandboxing is the only way to do so. Nothing short of a full sandbox is safe. The sandbox in 360 Total Security looks promising also. But, it needs to be selected from the right mouse click menu, when clicking on the browser icon. My experience is that people get lax and won't do this all the time. Of course, if someone uses a cloud backup service, like Carbonite, they can clean the viruses on the PC and then restore their files as long as their cloud files are not encrypted also.
You missed out one bit, the critical part, the ability to get away with the crime, bitcoins seem to have found their true market, criminal enterprise. Interesting side note the same countries were targeted each time and a very unlikely set, it would seem the logical relationship between the perpetrators in each targeted location would be a family relationship. There really isn't all that much secrecy in bit coins like anything else digitally transmitted across the internet bit coins have a recognisable bitmap and there movement can be readily traced.
Chaos - everything, everywhere, everywhen
Yeah, like I'm going to click on that link you posted! Can't fool me.
You don't need to hide the .exe extension. People will click on it anyway if they believe they have something to gain or something to lose.
It's really just another form of Dancing Pigs social engineering attack. You give the user a plausible reason for downloading and installing software, and you'll find users go out of t heir way to install it.
Doesn't matter the OS. And it can be anything - be it porn, a "private porn browser" or other such tool and any OS is vulnerable. (Yes, "private porn browser" - download now and browse your porn in privacy and even your wife won't find out...).
I've received dozens of these. All via hijacked SMTP hosts.
The interesting thing is that all are plain-text with the attachment. The attachment is only few kilobytes long. No HTML, no javascript, nothing. Even more telling was that they came in batches of about 5. I'd start my day with about 5 in my inbox that all arrived within few minutes of each other; all pretty-much the same. Then nothing all day until the next morning when the same thing happened.
They appear plausible, except the most recent one was "We noticed you haven't collected your tax refund of $few thousand." That's interesting because, in Australia, the ATO sends you a cheque or direct-deposits into your account for you. You don't collect anything. I've had parcel tracking ones, and all manner of other variations. There was one claiming to be a building approval. A "vehicle tax rebate" form. Then a "late fee" for something, etc.
A few years ago I would have expected them to contain some malicious HTML or javascript,to try and force the attachment to execute in outlook. I guess these days most clueless n00bs are using web based mail, which would make that a little more difficult.
It's crap like this that makes me glad I gave my (technology) clueless mother a Linux machine with all the security bells and whistles enabled. I'm sure she got more than her share of these emails, which she can try to run to her heart's content. I'm even more sure that she is the reason I got them (forwarding my mails, or sending mails To: a hundred people).
Just clicking on a link should never be enough not matter what you think the "weakness in wetware" is.
We care about you, too. Seriously - the support from other countries during the recent tragedy in Sydney is very much appreciated.
They sentenced me to twenty years of boredom
We had two employees access the torrentlocker website, right through out proxy portal with Kaspersky and McAfee running, and they downloaded it to their PCs running McAfee and then ran the bloody thing. By the next morning, we had more than 50000 files encrypted. I spent the next two days scripting deletion and restores across several multi-terabyte file shares. What I REALLY don't get is, why the heck did a known piece of malware like that make it through all of those antivirus/antimalware systems and heuristics and succeed in ruining two perfectly good days? (just ignoring all of the staff downtime).... Anybody?
One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.
Silence is a state of mime.
And still, MS won't make opening something and running something distinctly different actions.
In my experience: not really. They just have virusses and don't know it.
Most users still don't backup. They just don't think about it.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
> I've received dozens of these. All via hijacked SMTP hosts.
Any time I see one of these I examine the headers and invariably it is some end user desktop running off of a dynamic IP from some ISP.
A Pirate and a Puritan look the same on a balance sheet.