We noticed a recent influx of crypto-ransomware spreading in Australia. This recent wave rings similar to the hike of infections in the Europe/Middle East/Africa (EMEA) region we wrote about in early December. Upon further research and analysis, we concluded that the attackers behind these incidents could possibly belong to the same cybercriminal gang due to the similarity in their IP addresses.
Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.
We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”
Figure 1. Payment demands for various victims depending on their geo-locations.
In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.
Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include 126.96.36.199, which hosts phishing pages for both Australia Post and Turkey’s TTNET. 188.8.131.52 hosted SDA Express TorrentLocker domains.
Finding Similarities in Spoofed Sites
Data from the Trend Micro™ Smart Protection Network™ shows us the top spoofed sites used and which countries in EMEA and Australia they are most prevalent in. These sites are typically related to postal services (such as Australia Post) and government-related sites like http://www.osr.nsw.gov.au/, the official website site for the Office of State Revenue in New South Wales. Other researchers have noted that the commonly spoofed domains in Australia include auspost.com.au/ and nsw.gov.au. In Turkey the most spoofed domain is ttnet.com.tr (the legitimate site belongs to a Turkish ISP), while in https://online.correos.es/ (the site of the Spanish post office) is most popular in Spain.
Given these data, we ran a search for strings related to these domains and found that from October to December of 2014, these spoofed websites were accessed in an average of a thousand times or less per day, ranging from October to December 2014. Among the total number of countries we queried for accessing these spoofed domains, Australia topped the list with a 75% share with its top spoofed domains auspost.com.au/ and nsw.gov.au. Domains related to Italian courier service http://www.sda.it/ is the third most accessed spoofed domain , while domains related to Internet service provider www.ttnet.com.tr is the fourth most accessed spoofed domain.
Below is a detailed breakdown of the spoofed domains we monitored:
Figure 2. Spoofed blocked domains
This indicates that the same gang may be active in different counties, which means that we could possibly be seeing a massive, global threat in our hands.
Remaining Vigilant against Crypto-Ransomware Attacks
As crypto-ransomware attacks continue to spread across Australia and around the region, the findings we wrote about above give us reason to believe that we may be seeing a global trend in these attacks, and that the threat may soon be evolving to a much larger victim pool. The best course of action for users is to stay vigilant against these attacks. Ignore false messages about files held for “ransom,” and stay abreast of the latest cybercriminal tricks and techniques.
With analysis and insights from Paul Pajares, Feike Hacquebord, and Jon Oliver
Some hashes of related files: