Researchers measure reach of Australian TorrentLocker variant

Last year there were more than 10,000 web hits related to versions of the TorrentLocker malware tailored to Australian audiences in a single month of monitoring by security researchers.

TorrentLocker is a strain of malware that encrypts users' files and forces victims to pay a ransom in bitcoins in order to receive a key to decrypt them.

The base price in Australia is $598, but the ransomware threatens to double the price in 96 hours. Payment takes place through the Tor anonymity service.

TorrentLocker identifies itself as CryptoLocker, which is a separate piece of malware that operates in a similar fashion.

Security vendor Trend Micro and Deakin University researchers monitored local TorrentLocker activity in November last year and registered more than 10,000 hits relating to the malware originating from Australia.

The level of traffic to TorrentLocker-related addresses was obtained by studying a sample from the Trend Micro Web Reputation Service (WRS) and Smart Protection Network.

TorrentLocker phishing emails and destination URLs impersonated Australia Post and NSW's Office of State Revenue.

"This strain of CryptoLocker tailored for Australian victims started in the second half of 2014, and continued up to Christmas Eve," Jon Oliver, a senior threat researcher at Trend Micro Australia, said in a statement.

"The outbreaks have stopped for the New Year break, but will almost certainly continue in the New Year."

"These attacks are technically sophisticated and specifically aimed at Australians and have been significantly increasing since July with an enormous impact on businesses and individuals," said Deakin University's Professor Yang Xiang.

Full report available for download here.

TorLocker ransomware variant designed to target Japanese users

Ransomware is nothing new to Japan. Symantec’s research has found that Japan ranks among the regions that are the most affected by global ransomware attacks. However, no attacks specifically targeting Japanese users have ever been confirmed. That is, until now. In the recent weeks, Symantec has observed a ransomware variant in the wild that was designed to target users who speak Japanese.

Figure 1. Ransomware attacks in November 2014 by region

The ransomware threat in question is a localized variant of TorLocker. The malware encrypts files with certain file extensions on the compromised computer and demands that the user pays in order to decrypt the files. Symantec has confirmed multiple variants of this particular Japanese ransomware threat.

TorLocker has been used in ransomware attacks around the world. The threat is part of an affiliate program, where the program’s operator gives participants the builder to create custom ransomware, access to the TorLocker control panel to track infections, and miscellaneous files to be used in conjunction with the malware. In return, the participants give a portion of the profit from the attack to the affiliate program’s operator.

Infection
The localized variant’s attacks on Japanese users have occurred on compromised websites that commonly host blogs. However, it is also possible that the attacker is renting an exploit kit to automatically compromise victims’ computers by exploiting software vulnerabilities. In one case, a recently compromised site owned by a Japanese publishing company redirected traffic to several domains hosting the Rig exploit kit. This may have ultimately served the ransomware as a payload.

In another case in late November, a blog site was compromised to display a fake Adobe Flash Player installer page.

Figure 2. Fake Adobe Flash Player installer page

If the user clicks on the yellow install button, they are prompted to download and execute a setup file to install the plugin. However, the file does not contain the typical icon used in Flash Player installers. The file is not digitally signed either, which suggests that the installer is a phony.

Figure 3. Icon of the installer downloaded from the fake Flash Player page

Once the setup file is executed, it does not install Flash Player. Instead, it encrypts certain files and displays a message in Japanese in popup window, stating that the computer has been locked. The message then asks the user to pay in order to unlock their files. The demanded ransom ranges from 40,000 yen to 300,000 yen (approximately US$500 to US$3,600).

Figure 4. Pop-up window of the TorLocker ransomware variant targeting Japanese-speaking users

Stay protected
Japan is approaching its week-long New Year holiday. The long break is a perfect opportunity for the attacker to perform its campaign, as many users will likely surf the internet during the time off. Symantec has the following recommendations to avoid or mitigate ransomware infections:

• Update the software, operating system, and browser plugins on your computer to prevent attackers from exploiting known vulnerabilities.
• Use comprehensive security software, such as Norton Security, to protect yourself from cybercriminals.
• Regularly back up any files stored on your computer. If your computer has been compromised with ransomware, then these files can be restored once the malware is removed from the computer.
• Never pay the ransom. There’s no guarantee that the attacker will decrypt the files as promised once they receive payment.