Could the Russian ransomware masters hiding in their Eurasian fastness have an unlikely Australian malware rival?
It’s an intriguing possibility raised by the case of TorrentLocker, a new type of extortion malware discovered by security firm iSight Partners that appears to target only Australian victims using Bitcoin sites based in the country to purchase its hefty ransoms.
The firm is undecided about the Australian connection although targeting only one country (so far) is an unusual fork for ransom malware which has hitherto been aimed at groups of developed nations at the same time.
The facility to gather ransoms in Australian dollars is probably a simple localisation tactic, but using .au websites for Bitcoin purchase was more unusual, the firm suggested.
Whoever created TorrentLocker, they are opportunists, neatly picking up on ideas tried in the more famous CryptoLocker and recent CryptoWalll ransom Trojans without actually using their code.
Smash and grab might be another description. State of the art ransomware such as CryptoWall uses sophisticated encryption based on generating a symmetric key for each of the victim’s files using the criminal’s own RSA public key. That makes decryption of even one file a mammoth task without the public key.
TorrentLocker falls back on the much simpler notion of generating what appears to be a single Rijndael symmetric key for all files, stored either locally or remotely on the command & control server. This immediately makes its C&C a target because breaking into it offers the prospect of finding keys for each victim. CryptoWall attempts to avoid this weakness by hiding its C&C using the Tor anonymity network.
One thing TorrentLocker does have in common with its more grown-up rivals is the sums of money it demands for an unlock key, 0.8 Bitcoins or around 500 Australian dollars (just under $500).
“While TorrentLocker introduces no new capabilities to those of previously observed ransomware, the malware introduces the interesting approach of spoofing components of other ransomware samples,” said iSight’s Richard Hummel.
“iSIGHT Partners believes that use of this malware will not grow significantly due to a lack of distinguishing features.”
As for the Australian connection, Russian cybercriminals (if they turn out to be involved) do seem to have a thing for the country. In May, users of Apple's iPhones and iPads in the country were hit by mystery ransom demands which later turned out to have a Russian origin.