Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Ransomware - No sign of relief, especially for Australians

Mark Haffenden, Nicholas Griffin and Carl Leonard, Websense | March 6, 2015
This blog piece profiles the user experience for a Torrentlocker variant focusing on the Australian region.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Websense Security Labs researchers observed that ransomware was a plague in 2014 and this threat type shows no sign of relief in 2015. In this blog we profile the user experience for a Torrentlocker variant focusing on the Australian region.

Ransomware is an umbrella name for a type of cybercrime in which the attackers restrict access to a computer until a ransom is paid to restore system access and function. Crypto Ransomware is a form of ransomware in which access to data is blocked by encrypting the data and withholding an encryption key until a ransom is paid to the cyber criminals.  (Authors' note: We do not recommend that a ransom is paid to the cyber criminals).

We have seen that Torrentlocker rotates through many themes/lures/targets and tends to be low volume and targeted.

In the latter half of 2014 we observed fake Royal Mail lures (targeting UK end-users) and Australia Post lures, but then Torrentlocker moved on to Turkish-themed lures (Turk Telekom, TTNET) and then New South Wales Government lures, of which we see a repeat in our current case study.  There have also been Czech Post lures, TESA Telecom (Brazilian-themed) lures, Italian lures and others too. The lure tend to be fake 'eFax' or 'penalty' download pages.

The Websense ThreatSeeker Intelligence Cloud identified a campaign sent yesterday to Australian end users.  This ransomware followed the 7 Stages of Advanced Threats model in a typical fashion.

Australian-themed Ransomware

Our case study, the Australian-themed ransomware, exhibits the typical process from lure to infection.

Ransomware is most often distributed via email lures or compromised websites (specifically malvertising).  Today's case study used an initial email lure with a topic of penalties induced by speed cameras.  A typical subject is "Penalty id number - <random number> / Fixed by speed camera".

The lure email contains a URL (in this case a compromised wordpress host).  The end user is sent through to a website that makes a call to action.

In this case we see a Penalty Notice claiming to be from the New South Wales Office Of State Revenue.  For the avoidance of doubt the OSR is a legitimate organization and their website is hosted at http://www.osr.nsw.gov.au/.  Social Engineering is needed to convince the end user to perform an action. Note the use of a legitimate-looking logo as well as a CAPTCHA entry form to add a degree of legitimacy on the fraudulent website, and to encourage a further click action.  Hosts of the fraudalent website rotate, but include hxxp://nsw.gov.yourpenalty.com/ and hxxp://osr.nsw.mypenalty.org/  Similar variants on the theme will likely occur in the future.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.