Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Australia Crime Security

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware 83

First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia. If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
This discussion has been archived. No new comments can be posted.

Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware

Comments Filter:
  • by dillee1 ( 741792 ) on Wednesday December 17, 2014 @10:20PM (#48623019)
  • So, like half?

  • I'm surprised people are still gullible enough to click on links and attachments in emails, but apparently some still are. This is a pretty good explanation of the attack vector: https://www.youtube.com/watch?v=dQw4w9WgXcQ [youtube.com]
  • by Hartree ( 191324 ) on Wednesday December 17, 2014 @11:22PM (#48623297)

    As computer files become more valuable to ordinary people (rather than just IT geeks and businesses), backup plans become more important.

    Most general users don't do this, but as the data becomes more damaging if it's lost, encrypted or maliciously destroyed, they may need some sort of solution.

    Even a pretty sophisticated ransom-ware would have a hard time if you take an occasional backup and check it by restoring/reading the file on another machine.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Word.

      Posting Anon because I'm embarressed, but our business got hit hard by a rootkit two weeks ago (not TorrentLocker). Proved damn near impossible to get rid of.

      In the end we erased the physical desktops and rolled all the VM's back to our August DR backup. Fortunately all our work is done in VM's and we backed up data offsite religiously (with version histories).

      So we had a shitty virus protection policy but were saved by good backups.

      We now have WebRoot rolled out via group policy, firewalls, windows u

      • by Anonymous Coward
        Anon too for the same reasons.

        We got hit by this in a small way a few weeks ago, driveby download exploiting a Flash vulnerability for which a patch had been issued just the previous day but not rolled out. Not a huge impact on us, but Flash was just one day out of date and everything else was fully patched.

        Backups are the only real defence though. Offline backups too, as it is perfectly possible for ransomeware to encrypted mapped network drives, USB devices and even in theory some cloud backup service

    • "Most general users don't do this" How can you even say that. "General users" are the ones who have to format because they get viruses.

      They sure as hell know how to backup their stuff, and they've had a lot of practice.
      • In my experience: not really. They just have virusses and don't know it.
        Most users still don't backup. They just don't think about it.

      • by Hartree ( 191324 )

        "How can you even say that."

        It's been my observation over years of dealing with them.

        Most people who use computers aren't the Slashdot crowd. They "kinda, sorta" know enough to be able to check their email, surf the web, or play some games.

        Usually when they have a failure from malware, they've been infected (perhaps with other things as well) for some time. If they can even find the original system restore disk, they're way ahead of the game.

        They get Cousin Jimmy (or one of their kids), cause he's g

    • Comment removed based on user account deletion
    • Comment removed based on user account deletion
  • We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again. I do not comprehend why the "partial" sandbox of existing browsers is considered to offer protection. Full sandboxing is the only way to do so. Nothing short of a full sandbox is safe. The sandbox in 360 Total Security looks promising also. But, it needs to
    • by mjwx ( 966435 )

      We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again.

      That's completely useless in this case as the malware fools the user into installing it. The user downloads a zip file containing an executable, so its well outside the sandbox by that point.

    • by ihtoit ( 3393327 )

      I'm running a browser in a VM. Everything that happens happens inside the VM. Shit goes south, kill the VM, start it up again from a read only image. What malware?

      • by Le Marteau ( 206396 ) on Thursday December 18, 2014 @02:33AM (#48623891) Journal

        > I'm running a browser in a VM... What malware?

        Your faith in the security of VM sandboxes is misplaced.

        It is trivial to write a program which can detect if it is in a VM. And then, attack the hypervisor and escape the protected environment. As virtualization has become more common, such malware has gone from academic exercises to real-world exploits.

        http://www.symantec.com/avcent... [symantec.com]

        My favorite line:

        Finally, the most interesting attack that malicious code can perform against a virtual machine emulator is to escape from its protected environment.

        With virtualization becoming more and more common

      • That malware then corrupts files in whatever network shares you can attach to from your VM - so congrats, your operating system is safe but your co-workers still get their files stuffed up.
        Hopefully it's scaring people into having REAL backups that can't be corrupted without loading/attaching external media or deleting snapshots.
        • by ihtoit ( 3393327 )

          one would assume that had one taken the trouble to sandbox an operating environment to mitigate risk of data corruption by malware, one would also have made sure that no folder shares were available to that sandbox. Your argument is moot.

    • Full sandboxing is the only way to do so.

      How do you attach documents to an email in a full-sandboxed world?

      How do I receive a document by email, update it with my comments, and pass it along to the next reviewer?

  • Where they talk about targeting Windows boxes both in the editorial and the slashdot post. How refreshing. This publication is mile aheads of the ass-licking Microsoft of Zdnet and pcworld.
  • According to the image right at the top of the article, there were over 11000 in Turkey. If we're singling out the most infections, that should be the headline. Is Australia somehow more significant?
  • by felixrising ( 1135205 ) on Thursday December 18, 2014 @07:08AM (#48624585)
    We had two employees access the torrentlocker website, right through out proxy portal with Kaspersky and McAfee running, and they downloaded it to their PCs running McAfee and then ran the bloody thing. By the next morning, we had more than 50000 files encrypted. I spent the next two days scripting deletion and restores across several multi-terabyte file shares. What I REALLY don't get is, why the heck did a known piece of malware like that make it through all of those antivirus/antimalware systems and heuristics and succeed in ruining two perfectly good days? (just ignoring all of the staff downtime).... Anybody?
    • by BitZtream ( 692029 ) on Thursday December 18, 2014 @08:07AM (#48624755)

      Because anyone who has been in IT for any length of time knows McAfee is complete shit? Proxies trying to stop the spread of things distributed by sites that bust their ass to avoid being caught by a blocking proxy?

      I.E. If you DEPEND on anything from a 'security' company like McAfee, Kaspersky, F-secure, whoever ... you've already failed. Those are backups that hopefully help to catch the things that the user didn't.

      Your first and only REAL line of defense is the user and proper administration like only letting people access files they NEED to access.

      • That sounds like a security argument that forgets the convenience part of the equation. If you have departments of 100+ staff and need them to have access to the same files... all it takes is one user falling for it, you're still left moping up. We had two staff fall for it from different departments... fun times.
      • I'm not sure that McAfee is that horribly bad (as opposed to being bad), but I suspect malware authors test against the latest versions of all the commercial anti-malware vendors to make sure they'll get through. The malware protection guys will catch up, so McCrappy can be useful against older malware, but no commercial product will stop the latest stuff.

    • Comment removed based on user account deletion
  • by wbr1 ( 2538558 ) on Thursday December 18, 2014 @07:13AM (#48624607)
    Most are rather dumb. They will encrypt standard file types such as jpg and doc, but leave really critical stuff (qbw, pst, etc) alone. I guess the writers, not knowing what files being encrypted in a user profile might brick a machine only go for easy targets. They will readily encrypt any attached drive as well, following the same ruleset. If your backup program stores in a standard .zip or in the clear, it will be encrypted too. The best safety net is an online backup that does versioning so you can roll back to pre-infection versions of files.

    One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.

    • by Anonymous Coward
      I have noticed a lot of pretty effective looking fishing emails in my gmail spam filter lately which could be responsible for the recent uptake in trojans.

      Right now, I have a spam purporting to be from FedEx: "Dear Customer, Your parcel has arrived at December 12. Courier was unable to deliver the parcel to you. To receive your parcel, print this label and go to the nearest office. " with their logo and a "Get Shipment Label" button. I could see some people falling for it.

      I also have an email suppo
  • "earned"? Perhaps that would be better expressed as "extorted".

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...