TorrentLocker and Its Effect on the Australian Web Threat Landscape
January 12, 2015
View research paper: Australian Web Threat Landscape
TorrentLocker refers to a strain of ransomware that uses encryption in order to extort money from its victims. It is considered a regional threat with infections found in many regions, with some of the most recent ones being spotted in Australia.
Analysis of the outbreaks show that the location of the infection is not happenstance, as the social engineering and email addresses involved specifically targeted individuals and businesses in Australia. This paper provides insights into a series of TorrentLocker outbreaks, as well as its effects on the Australian web threat landscape.
General Attack Scenario:
- The Australian TorrentLocker outbreak relied on socially engineered emails that urged the users to click links supposedly leading to Australian government/postal websites.
- The email spam was carefully crafted to involve emails used by the above-mentioned organizations to send their genuine emails in order to evade anti-spam systems.
- Once victims clicked the link supplied by the spammed emails, they were redirected to a malicious website. They were then asked to complete a CAPTCHA verification test in order to download the zipped archive that supposedly contains urgent information, as promised by the spammed mail.
- The zipped archive contains the TorrentLocker malware, which encrypts files on the infected system once it is extracted and executed. The files encrypted are those that use commonly used file extensions, such as .DOCX, .PDF, and .ZIP.
- Once the files are encrypted, the malware requires payment in Bitcoins so the affected users can recover their files. The base amount is stated to be A$598, with a threat that the price will double after 96 hours.
- The delivered TorrentLocker malware is found to be rapidly changing, most likely to evade detection by security companies.
Web Threat Landscape Analysis and TorrentLocker Impact
In light of this, we discovered the following findings about the web threat landscape of the country:
- 10.5% of all Australian IP addresses were exposed to one or more web threats during the research period of November 1-30, 2014.
- The Australian Internet population generated 5.47 billion web hits (HTTP/HTTPS transaction initiated by a browser) during the research period, and 11.97 million of those attempted to visit malicious pages (0.22%). This is a figure similar to last year’s December 2013 report (0.21%). The value also sits in the median area of the highest and lowest values recorded during the research period, namely 0.16% and 0.35% respectively.
- Based on the findings above, we can say that that the outbreak of TorrentLocker did not significantly influence or affect the general trend of malicious activity in Australia, as the numbers are still relatively small compared with all other malicious activities.
This report explored various aspects of threats in the Australian web landscape. We have provided statistics on the volume and timing of web threats impacting Australia.
Even if our findings showed that the overall web threat landscape of Australia was not too drastically affected by the TorrentLocker outbreak, the malware remains a serious threat to users around the world, and should be taken seriously.
Based on the evasion techniques used and the outbreaks that adapted to security measures, we see multilayer filtering as a more robust approach to protecting users from TorrentLocker variants. In addition, further research is needed to monitor and document the evasion techniques being used and their impact on Australia.
For a much more detailed look on our findings and their implications to Australian users and businesses, download the full paper on the Australian Web Threat Landscape.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.