Bitcoins reach an address that accumulated 82,272 coins ($40 / €30.832 million)

Sep 5, 2014 15:07 GMT  ·  By

The newly discovered TorrentLocker ransomware with file-encryption capabilities has been observed to target users in UK via spam email purporting to come from Royal Mail postal service.

The messages claim to deliver package tracking information, which is an executable file. The malicious item is downloaded from a phishing website, whose link is provided in the email.

“In August, only Australians were targeted with fake Australian Post package-tracking page”, researchers from ESET security firm say; but as recently as September 2, they found that the operators behind TorrentLocker started a new campaign that focused only on victims from the UK.

The crooks have implemented an IP filtering system that bars users from other geographical regions than UK to access the phishing website. Should this happen, they are redirected to Google’s main page.

After the ransomware is installed on the system, it immediately proceeds to encrypt the data stored on it. With this operation completed, a ransom message is displayed, asking for ₤350 ($571 / €440) to be paid in 72 hours. If the victim does not comply, the ransom doubles up.

As it usually happens in the case of this type of threats, cybercriminals want the money to be delivered in Bitcoins, to avoid identification.

Moreover, they use a .onion host in the TOR (The Onion Router) anonymity network to hide their infrastructure.

“To make it is easy for victims to access the web page, TorrentLocker is giving links to Tor2Web nodes so they don’t have to install additional software to reach the .onion website,” Marc-Etienne M.Léveillé writes in a blog post.

It appears that the crooks acquired the domain name of one of the Tor nodes provided to the victim specifically for this operation, because it was registered just two weeks back.

TorrentLocker has been discovered by researchers at iSIGHT Partners, which detected at the time that it targeted users in Australia.

Based on its own analysis and that from iSIGHT, ESET presumes that the same threat actor could be behind both campaigns.

This assumption relies on the fact that even if two different Bitcoin wallet addresses are used in the two incidents, both of them transfer the money to a single one.

It may also be that a large crime ring coordinates the malicious operation because the final Bitcoin wallet recorded transactions amounting to over 82,272 Bitcoins. Converted into regular currency, this means about $40 / €30.832 million at the moment.

The address has been associated with other scams, crypto-currency theft and mining included.

However, there is also the possibility that the wallet address is used by the crooks as an exchange point that offers services to multiple cyber-gangs.