Websense® Security Labs™ researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015. In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region.
Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function. Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals. (Authors’ note: We do not recommend that a ransom is paid to the cyber criminals).
We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted.
In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study. There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake ‘eFax’ or ‘penalty’ download pages.
The Websense ThreatSeeker Intelligence Cloud identified a campaign sent yesterday to Australian end users. This ransomware followed the 7 Stages of Advanced Threats model in a typical fashion.
Australian-themed Ransomware
Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection.
Ransomware is most often distributed via email lures or compromised websites (specifically malvertising). Today’s case study used an initial email lure with a topic of penalties induced by speed cameras. A typical subject is “Penalty id number – <random number> / Fixed by speed camera“.
The lure email contains a URL (in this case a compromised wordpress host). The end user is sent through to a website that makes a call to action:
In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue. For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/. Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action. Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/ Similar variants on the theme will likely occur in the future.
Once the end user has been duped into clicking through, they are presented with a warning notice:
Decrypt instructions are provided via an HTML document installed on the user’s machine. This points the user to yet another website where they are encouraged to perform a transaction:
As is typical, the decrypter service website offers two prices for decryption. If the end user pays promptly they have to pay 2.4 bitcoins, (approximately) 499 USD. If they pay after 3 days they would have to pay approximately 998 USD.
A timer is shown to encourage urgent action. The malicious website also reveals the number of files that have been encrypted. Instructions are provided if the user is unsure how to trade in Bitcoins.
As before, we do not recommend paying the cyber-criminals to decrypt the files. Success is not guaranteed. If you fear you may have encountered a ransomware website (at any stage of the threat lifecycle) you can check our view on that by submitting the site to our online CyberSecurity Intelligence website analysis tool at http://csi.websense.com/
This variant of Torrentlocker cycles through hosts with various country code Top Level Domains (ccTLDs). We observed .com, .at (Austria), .lt (Lithuania) and .ru (Russia). Variants included:
hxxp://hochim.ru/wp-content/themes/thems/readip.php?eid=8335416278221988351634911194654464864426932877911359115391878239578365375
hxxp://kronbichler.at/wp-content/themes/thems/readip.php?eid=6976374276886957263939312995363812751134728673645492585177832379924246324
hxxp://zsohajnowka.pl/wp-content/thems/readip.php?eid=623534149942711528344994141811459
As mentioned above the fraudalent OSR-themed websites also change frequently to make detection difficult without real-time detection technologies.
The Financial Services sector was the one most targeted by this particular campaign.
You can read the full blog post here.
About Websense
Websense, Inc. is a global leader in protecting organizations from the latest cyber attacks and data theft. Websense TRITON ® comprehensive security solutions unify web security, email security, mobile security and data loss prevention (DLP) at the lowest total cost of ownership. More than 11,000 enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats, targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft and enforces security compliance and best practices. A global network of channel partners distributes scalable, unified appliance- and Cloud-based Websense TRITON solutions.
Websense TRITON stops more threats; visit www.websense.com/proveit to see proof. To access the latest Websense security insights and connect through social media, please visit www.websense.com/smc. For more information, visit www.websense.com and www.websense.com/triton.
