Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.

CryptoLocker returns after Operation Tovar
CryptoLocker returns after Operation Tovar

It's more than seven years since Eugene Kaspersky, head of Kaspersky Lab, caused a stir amidst claims that cyber-criminals were operating their scams as a major business model. Although his comments at a conference in London were initially met with scepticism, few now doubt the business nature of modern cyber-criminality.

The sheer scale of the business model was highlighted early last month when ESET revealed that the TorrentLocker ransomware had generated more than £24.8 million ($40 million) in revenues for its creators since it first appeared in March 2014.

Confirming research carried out by iSIGHT Partners in August, ESET said that more than 82,000 Bitcoins were transferred by computer users in their desperate attempts to unlock their encrypted files.

At the time, with each Bitcoin worth around £300 ($480), the security vendor noted that the scale of the fraud was now topping the £24.8 million mark as of the 4th of September.

Even though the value of Bitcoin has taken a tumble in recent weeks, the volume of TorrentLocker infections has continue to soar, with ESET observing the infections have been almost as successful as the actors responsible for CryptoLocker.

iSIGHT says it first saw TorrentLocker targeting victims using Australia Post themed phishing campaigns and websites.

The websites, says the research firm, prompt users to enter a CAPTCHA in order to get details about a shipped package. After entering the CAPTCHA, the user is then prompted to download and save a file that turned out to be TorrentLocker.

According to Fox-IT, the Dutch security research firm, a total of seven Bitcoin addresses have now been seen accepting ransomware payments totalling more than 860 Bitcoins, suggesting that a second wave of phishing-based ransomware demands - with a net worth of £1.28 million - has been taking place since the middle of September.

Commenting on the new TorrentLocker campaign, Keith Bird, UK managing director with Check Point, said that ransomware has become a popular tactic with criminals because victims frequently have no idea how to deal with the attack, other than to pay the ransom.

"Unfortunately, the more frequently ransoms are paid, the greater the incentive for malware creators to launch more attacks," he said, adding that ransomware commonly arrives in a phishing attack - a vector that has been proven to work.

This, he explained, highlights the importance of having multi-layered network security that includes threat emulation, to stop malware before it reaches the network, and also how critical staff awareness of phishing is in protecting against particularly aggressive attacks.