TorrentLocker malware on the rampage in Europe, Irish refuse ransom

17 Dec 2014

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

The TorrentLocker malware, which encrypts files on infected computers before demanding a ransom for their release, has so far affected 40,000 systems worldwide.

Well over US$500,000 has been garnered by the group behind the malware through its ransom service, paid via bitcoins, but as yet nobody from Ireland – where 112 infected hosts are based – has paid up.

Security expert ESET has analysed the ‘ransomware’, which started spreading earlier this year. Mainly targeting European machines, it has reached North America and Australasia, too.

“Its typical signature is paying ransom solely in cryptocurrency – up to 4.081 bitcoins (€1,180 or US$1,500),” says ESET.

In Ireland, 2.5m files have been encrypted, with ransom demands ranging from €600 to €1,000 per victim, “but according to ESET’s research none have been paid.”

Ransom payment page. Image via ESET

The infection spreads via a standard spam email approach. The victim receives a dodgy email with a threat attachment, often disguised as an unpaid invoice or the like.

“The credibility of the email is increased by mimicking business or government websites in the victim’s country,” explains ESET. “To fool the victims, the attackers have even inserted CAPTCHA images to create false sense of security.”

According to ESET’s whitepaper, titled TorrentLocker – Ransomware in a Country Near You, the origin emails are always localised.

“For example, if a victim is believed to be in Australia, fake package tracking information will be sent spoofed to appear as if it comes from Australia Post. The location of the potential victim can be determined by the top level domain used in the email address of the target or the ISP to which it is referring.”

Shifting the Finnish line

In September, researchers in Finland worked out a way to bypass the payment system and retrieve the encrypted files for free but, once spotted, the authors behind TorrentLocker switched their methodology and stopped that access stream.

So far, the countries affected by this ransomware are Australia, Austria, Canada, Czech Republic, Italy, Ireland, France, Germany, Netherlands, New Zealand, Spain, Turkey and the UK. Notably, the US is missing from this list.

Breakdown of countries affected by TorrentLocker malware. Image via ESET

Ransom image via Shutterstock

Gordon Hunt is a journalist at Siliconrepublic.com

editorial@siliconrepublic.com