Recent Crypto-Ransomware Attacks: A Global Threat

We noticed a recent influx of crypto-ransomware spreading in Australia. This recent wave rings similar to the hike of infections in the Europe/Middle East/Africa (EMEA) region we wrote about in early December. Upon further research and analysis, we concluded that the attackers behind these incidents could possibly belong to the same cybercriminal gang due to the similarity in their IP addresses.

Infection Vectors

Our analysis shows that the family-based pattern that identified the TorrentLocker malware that hit Australia also identified the outbreaks in Turkey, Italy, and France.

We observed that the TorrentLocker malware is configured for both Australia and countries in EMEA and shows similar payment pages for thesecountries. If users are not located in a targeted country, a generic English-language web page appears, and the ransom demand is made in US dollars. Below is a series of screenshots displayed by the TorrentLocker malware that incorrectly tells victims that it is the “CryptoLocker virus.”

Figure 1. Payment demands for various victims depending on their geo-locations.

In Australia, the base price is A$598 and displays a warning that the price will double after four days after the user is given the Bitcoin address.

Some examples of the IPs hosting fake domains from various counties TorrentLocker sites include, which hosts phishing pages for both Australia Post and Turkey’s TTNET. hosted SDA Express TorrentLocker domains.

Finding Similarities in Spoofed Sites

Data from the Trend Micro™ Smart Protection Network™ shows us the top spoofed sites used and which countries in EMEA and Australia they are most prevalent in. These sites are typically related to postal services (such as Australia Post) and government-related sites like, the official website site for the Office of State Revenue in New South Wales. Other researchers  have noted that the commonly spoofed domains in Australia include and In Turkey the most spoofed domain is (the legitimate site belongs to a Turkish ISP), while in (the site of the Spanish post office) is most popular in Spain.

Given these data, we ran a search for strings related to these domains and found that from October to December of 2014, these spoofed websites were accessed in an average of a thousand times or less per day, ranging from October to December 2014. Among the total number of countries we queried for accessing these spoofed domains, Australia topped the list with a 75% share with its top spoofed domains and Domains related to Italian courier service is the third most accessed spoofed domain , while domains related to Internet service provider is the fourth most accessed spoofed domain.

Below is a detailed breakdown of the spoofed domains we monitored:

Blocked Domains-01

Figure 2. Spoofed blocked domains

This indicates that the same gang may be active in different counties, which means that we could possibly be seeing a massive, global threat in our hands.

Remaining Vigilant against Crypto-Ransomware Attacks

As crypto-ransomware attacks continue to spread across Australia and around the region, the findings we wrote about above give us reason to believe that we may be seeing a global trend in these attacks, and that the threat may soon be evolving to a much larger victim pool. The best course of action for users is to stay vigilant against these attacks. Ignore false messages about files held for “ransom,” and stay abreast of the latest cybercriminal tricks and techniques.

With analysis and insights from Paul Pajares, Feike Hacquebord, and Jon Oliver

Some hashes of related files:

  • bee66ab8460ad41ba0589c4f46672c0f8c8419f8
  • 3c0caa993cb946ce15ca4b965fe272603b54958d

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Recent Crypto-Ransomware Attacks: A Global Threat

Read more: Recent Crypto-Ransomware Attacks: A Global Threat

Story added 14. January 2015, content source with full text you can find at link above.