Cybercriminals behind the TorrentLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections.
But apparently more than 9,000 of the victims were from Australia thanks to a poisoned website which claimed to be the Australia Post newspaper.
TorrentLocker is one of several ransomware threats that have emerged in the wake law enforcement action against CryptoLocker earlier this year.
TorrentLocker demands payment of up to $1,500 in Bitcoin to unlock victim’s encrypted files. Whether victims pay depends on how much they value files.
Security vendor ESET said that the hackers behind TorrentLocker put extra effort into defrauding Australian computer users via a several bogus websites for Australia Post and the NSW Office of State Revenue.
The hackers were more successful Turkey which made 11,700 infections, but that country has a bigger population with less crocodiles. Italy, the UK, the Czech Republic, and Netherlands all had infections of between 4,500 and 2,280 each, which was also on the higher side.
Few victims actually paid. According to ESET researcher and author of the report, Marc-Etienne M.Léveillé, only 1.44 percent or 577 of the infections translated in to payment for the hackers. Still, based on the Bitcoin exchange rate of $384.94 on November 29, TorrentLocker’s operators may have earned between anywhere between $292,700 and $585,401, which is not bad money.
The PCs were infected by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files.
Messages included tricking victims into opening files marked unpaid invoices, package tracking and unpaid speeding tickets.
“For example, if a victim is believed to be in Australia, fake package tracking information will be sent spoofed to appear as if it comes from Australia Post. The location of the potential victim can be determined by the top level domain used in the e-mail address of the target or the ISP to which it is referring,” ESET notes in its report.
The fake Australian domains the attackers have bought for the campaign include sites that look like the legitimate Australia Post domain austpost.com.au. These are austpost-tracking.com and austpost-tracking.org. Domains they have acquired to appear like the NSW Office of State Revenue’s real domain osr.nsw.gov.au include the bogus domains nsw-gov.net and osr-nsw-gov.net.
TorrentLocker’s “side task” is to steal the address book from email clients on the infected machine and contains code that enables this feature for Thunderbird, Outlook, Outlook Express and Windows Mail.