Story image

Aus & NZ organisations increasingly targeted by ransomware

05 Sep 2016

The Australian Federal Police, Australia Post, and New Zealand post are among several organisations across 22 countries targeted by TorrentLocker, a crypto-ransomware, according to ESET researchers.

TorrentLocker displays a page claiming that a “document” should be downloaded. If it is in fact downloaded and opened, it is then executed.

According to ESET this current version of TorrentLocker is extremely localised and victims are provided with information in their own languages and own currency.

Nick Fitzgerald, ESET senior research fellow, says these newer TorrentLocker variants have really upped the ante.

“Earlier variants, just like other crypto-ransomware, encrypted files of specific types, as determined by their filename extension,” he says.

“The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted,” explains Fitzgerald.

“This new approach to encrypting nearly all files on a system will have ramifications for the kind of backups needed to properly restore a system that has been encrypted by TorrentLocker.”

He says that as always, unexpected offers, and especially claims of criminal behaviour that are received by email should be treated with great skepticism.

“Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email,” he explains.

To protect yourself and avoid being infected by ransomware, including TorrentLocker, Fitzgerald advises you to follow these 11 tips:

  1. Always back up your data. If you have conducted regular backups, you will be able to restore what is lost. Ensure that at least one set of backups is not connected to your computer during normal operations.
  2. Show hidden-file extensions. If you see an extension with “.docx.exe”, there’s something wrong with the file. Showing the extensions makes it easier to spot malicious files.
  3. Filter EXEs in email. If you receive an email with .EXE files, get your email to filter the executable files or only use ZIP files with password protection if you are using .EXE files.
  4. Disable files running from AppData/LocalAppData folders. There are rules within windows to disallow a particular, notable behaviour used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders.
  5. Disable Remote Desktop Protocol. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits.
  6. Patch or Update your software. This will ensure you’re protected from the latest threats.
  7. Use a reputable security suite. Having both anti-malware software and a software firewall will help you identify threats or suspicious behavior. 
  8. Disconnect from WiFi or unplug from the network immediately. If you are being infected by ransomware, disconnect from your network immediately.
  9. Use System Restore to get back to a known-clean state. Make sure that you also have removed executables files as some might still be present on the system.
  10. Set the BIOS clock back. While most ransomware is generally set to 72 hours before raising the price, you can save time by setting the BIOS clock back to a time before the 72-hour window is up.
  11. Do not pay the ransom. There’s no guarantee your data will be released or properly decrypted.

“Ransomware is very active in Australia and New Zealand and will be increasingly targeting users moving forward,” says Fitzgerald.

“Users shouldn’t panic when encountering these kinds of situations and follow best practices to retrieve their data. Proactive prevention and protection can significantly reduce the risks and impact of malware and ransomware attacks.”

Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.
McAfee announces Google Cloud Platform support
McAfee MVISION Cloud now integrates with GCP Cloud SCC to help security professionals gain visibility and control over their cloud resources.
WatchGuard announces A/NZ partners awards
Four Australian companies were named partner award winners at the WatchGuard conference in Vietnam.
Telstra’s 2019 cybersecurity report
Cybersecurity remains a top business priority as the estimated number of undetected security breaches grows.
Why AI and behaviour analytics should be essential to enterprises
Cyber threats continue to increase in number and severity, prompting cybersecurity experts to seek new ways to stop malicious actors.
Scammers targeting more countries in sextortion scam - ESET
The attacker in the email claims they have hacked the intended victim's device, and have recorded the person while watching pornographic content.
Cryptojacking and failure to patch still major threats - Ixia
Compromised enterprise networks from unpatched vulnerabilities and bad security hygiene continued to be fertile ground for hackers in 2018.
Why cybersecurity remains a top business priority
One in two Australian businesses estimated that they will receive fines for being in breach of new legislation.