Aus & NZ organisations increasingly targeted by ransomware
FYI, this story is more than a year old
The Australian Federal Police, Australia Post, and New Zealand post are among several organisations across 22 countries targeted by TorrentLocker, a crypto-ransomware, according to ESET researchers.
TorrentLocker displays a page claiming that a “document” should be downloaded. If it is in fact downloaded and opened, it is then executed.
According to ESET this current version of TorrentLocker is extremely localised and victims are provided with information in their own languages and own currency.
Nick Fitzgerald, ESET senior research fellow, says these newer TorrentLocker variants have really upped the ante.
“Earlier variants, just like other crypto-ransomware, encrypted files of specific types, as determined by their filename extension,” he says.
“The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted,” explains Fitzgerald.
“This new approach to encrypting nearly all files on a system will have ramifications for the kind of backups needed to properly restore a system that has been encrypted by TorrentLocker.”
He says that as always, unexpected offers, and especially claims of criminal behaviour that are received by email should be treated with great skepticism.
“Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email,” he explains.
To protect yourself and avoid being infected by ransomware, including TorrentLocker, Fitzgerald advises you to follow these 11 tips:
- Always back up your data. If you have conducted regular backups, you will be able to restore what is lost. Ensure that at least one set of backups is not connected to your computer during normal operations.
- Show hidden-file extensions. If you see an extension with “.docx.exe”, there’s something wrong with the file. Showing the extensions makes it easier to spot malicious files.
- Filter EXEs in email. If you receive an email with .EXE files, get your email to filter the executable files or only use ZIP files with password protection if you are using .EXE files.
- Disable files running from AppData/LocalAppData folders. There are rules within windows to disallow a particular, notable behaviour used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders.
- Disable Remote Desktop Protocol. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits.
- Patch or Update your software. This will ensure you’re protected from the latest threats.
- Use a reputable security suite. Having both anti-malware software and a software firewall will help you identify threats or suspicious behavior.
- Disconnect from WiFi or unplug from the network immediately. If you are being infected by ransomware, disconnect from your network immediately.
- Use System Restore to get back to a known-clean state. Make sure that you also have removed executables files as some might still be present on the system.
- Set the BIOS clock back. While most ransomware is generally set to 72 hours before raising the price, you can save time by setting the BIOS clock back to a time before the 72-hour window is up.
- Do not pay the ransom. There’s no guarantee your data will be released or properly decrypted.
“Ransomware is very active in Australia and New Zealand and will be increasingly targeting users moving forward,” says Fitzgerald.
“Users shouldn’t panic when encountering these kinds of situations and follow best practices to retrieve their data. Proactive prevention and protection can significantly reduce the risks and impact of malware and ransomware attacks.”