Only 570 of 40,000 European victims of ransomware paid the Bitcoin fee.
Infecting more than 40,000 systems in Europe, TorrentLocker started spreading in early 2014 and encrypted documents, pictures and other files on user’s device, with a demand of up to 4.081 Bitcoins to unlock it, around £950.
ESET’s research found that 2.329 UK systems had been infected, and around ten per cent (up to 210) had paid the ransom. Commonly, the ransom was 2 Bitcoins, around £650. In Ireland, none of the 112 victims paid while in the most infected nation, Turkey (11,700), 228 paid.
Ken Westin, senior security analyst at Tripwire, said that the statistics did not surprise him,and he believed that the number of infected systems and money made by the groups will increase. “Criminal syndicates have found a way to generate revenue from their exploits, paired with the anonymity of Bitcoin making it difficult if not impossible for law enforcement to go after the culprits,” he said.
“We will see more sophisticated versions of ransomware in the future and not just individual’s systems, but also entire networks, once a group finds a way to turn a profit, more groups will follow in short order.”
Marc-Etienne Léveillé, researcher at ESET, said that the infection spreads by a victim receiving a spam email with a malicious document and to fool the victims, the attackers have even inserted CAPTCHA images to create false sense of security.
“With TorrentLocker, the attackers have been reacting to online reports by defeating Indicators of Compromise used for detection of the malware and changing the way they use Advanced Encryption Standards (AES) from Counter mode to Cipher block chaining mode (CBC) after a method for extracting the key stream was disclosed,” he said.
He explained that these changes mean that TorrentLocker victims can no longer recover all their documents by combining an encrypted file and its plain text to recover the key stream.
Mark Sparshott, EMEA director at Proofpoint, said: “TorrentLocker’s success stems from the use of advanced longlining and phishing emails to distribute the malware installer in a weaponised attachment or a link to a weaponised website. Proofpoint’s Human Factor report showed just how successful TorrentLocker’s favored themes of Delivery & Order Notifications can be with an average of 1 in 10 recipients clicking these types of malicious links.
“As more people shift away from paper copies of key documents to electronic ones, TorrentLocker’s ransom may seem a small price to pay for many victims . As the threat
of advanced phishing still remains unaddressed by most organisations, ransomware like TorrentLocker is likely to increase in 2015.”
