Double whammy as UK users hit by banking and ransomware
Double whammy as UK users hit by banking and ransomware

TorrentLocker, which first surfaced in Australia three weeks ago, has now turned its sights on the UK, says security firm ESET, infecting and encrypting computers via a fake Royal Mail package-tracking phishing email, then demanding a bitcoin ransom of £350 if paid within 24 hours or £700 otherwise to unlock them.

ESET malware researcher Marc-Etienne M.Léveillé said in a 4 September blog that TorrentLocker's web server is hosted and hidden on the Tor network, adding: “To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don't have to install additional software to reach the website.”

ESET reports that since March, one bitcoin wallet associated with TorrentLocker has transferred more than 82,000 bitcoins - valued at a staggering £24.5 million.

The company explains: “This wallet has been associated with other scams in the past, including wallet stealing and selling fake mining hardware. We do not know if this account is owned by the TorrentLocker gang or it is some kind of exchange service used by different groups.”

M.Léveillé told via email: “The TorrentLocker campaign started at the beginning of August, but this particular wallet has been active since March, so it is definitely not only money paid by the TorrentLocker victims.”

He added that while ESET believes TorrentLocker attacks are currently limited to the UK and Australia, “the malicious actors are likely to target new countries to expand their potential victims. Whatever postal service you use, getting tracking information of a package should not require downloading or opening any files. Information should be right there in your internet browser. Also, if you don't expect a package, you shouldn't click on links that appears to be from a postal service.”

TorrentLocker was first revealed by US cyber threat intelligence firm iSIGHT Partners in mid-August, deliberately mimicking more feared ransomware brands like CryptoLocker and CryptoWall.


Meanwhile, security firm PhishLabs reports that the Vawtrak banking Trojan, which has been around since the mid-2000s, has recently moved from attacking mainly financial institutions in Japan, to targets in the UK, US, Canada, Australia, Turkey and Slovakia.