Once the end user has been duped into clicking through, they are presented with a warning notice.
Decrypt instructions are provided via an HTML document installed on the user's machine. This points the user to yet another website where they are encouraged to perform a transaction.
As is typical, the decrypter service website offers two prices for decryption. If the end user pays promptly they have to pay 2.4 bitcoins, (approximately) 499 USD. If they pay after 3 days they would have to pay approximately 998 USD.
A timer is shown to encourage urgent action. The malicious website also reveals the number of files that have been encrypted. Instructions are provided if the user is unsure how to trade in Bitcoins.
As before, we do not recommend paying the cyber-criminals to decrypt the files. Success is not guaranteed. If you fear you may have encountered a ransomware website (at any stage of the threat lifecycle) you can check our view on that by submitting the site to our online CyberSecurity Intelligence website analysis tool at http://csi.websense.com/
This variant of Torrentlocker cycles through hosts with various country code Top Level Domains (ccTLDs). We observed .com, .at (Austria), .lt (Lithuania) and .ru (Russia).
As mentioned above the fraudalent OSR-themed websites also change frequently to make detection difficult without real-time detection technologies.
The Financial Services sector was the one most targeted by this particular campaign.
Protecting from Ransomware
Websense customers were protected at the time of this Australian-themed ransomware attack via real-time analytics within ACE, our Advanced Classification Engine. Protection is offered at the different stages of the attack detailed below:
- Stage 2 (Lure) - ACE has detection for the email lure, and the website contained within.
- Stage 3 (Redirect) - ACE has detection for the link inside the email lure, and for the ultimate destination of the counterfeit website.
- Stage 5 (Dropper) - ACE has detection for the dropped file, as shown by our File Sandboxing report mentioned below.
- Stage 6 (Backchannel Traffic) - ACE has detection for the command-and-control communication, preventing the malware from functioning correctly.
Our File Sandboxing tool classifies the ransomware payload as Malicious in the report here.
At the time of writing (25 February 2015) the file sample has a detection rate of only 3 out of 57 anti-virus vendors in VirusTotal.
Ransomware will continue to evolve as we progress through to 2015. Once a machine has become infected and files encrypted there is a little that an end user can do to counter it. To strengthen your overall security posture we recommend that you raise awareness within your employee base of the dangers and signs of ransomware, and adopt suitable technologies to identify and protect from the threat in the early stages of the threat lifecycle.
Sign up for MIS Asia eNewsletters.