Crypto-ransomware continues to be a very effective way for cyber crooks to “earn” serious money: the method is so lucrative that with a single campaign, the crooks have managed to get their hands on 810 BTC (over $217,000) in a month.
The targets of the latest widespread ransomware delivery campaign are almost exclusively Australian users, and it seems that over 1,200 of them have paid up to have their computers unlocked and their files restored.
The malware – a TorrentLocker variant – is delivered via spoofed emails impersonating the New South Wales government or the Australian Post. In the former example the targets are urged to download a penalty or reminder notice, in the latter information about a delivery.
Once the targets click on the link offered in the email, they are taken to a newly-registered typosquatting domain similar to the official sites of the Australia Post and the NSW government.
They are then asked to “solve” a CAPTCHA in order to be allowed to download the wanted file (the crooks are using this approach to foil mail scanners, which can follow and evaluate links).
Once the victims download the malware masquerading as a notice and run it, it will contact an C&C server.
“After successful sending and receiving of information, the malware will then encrypt files in the users’ machines using Elliptic Curve Cryptography Encryption and appends the string .encrypted. Afterwards, it drops an .HTML file with decryption instructions and displays a ransom page. It also deletes the shadow copy of the infected system by executing the command line instruction vssadmin.exe Delete Shadows /All /Quiet, thus preventing the user to restore their files from back-up,” Trend Micro fraud analyst Paul Pajares and web threat researcher Christopher Ke from Deakin University explained.
The victims are instructed to pay the ransom by registering a Bitcoin wallet and buying bitcoins from suggested links, then transferring the sum to a specific Bitcoin address. From there, the money is transferred many times over before it finally ends in the crooks’ hands.
Initially, the crooks asked for AU$598, but warned that the price would double if the ransom isn’t paid in the next 96 hours.