Home Security TorrentLocker ransomware uses AFP, Australia Post as lure

The makers of the TorrentLocker ransomware appear to be using well-known organisations in order to make their job of extracting money from unsuspecting users easier.

Over the period from April to August, the ransomware has used fake notices about parcels due from Australia Post and New Zealand Post, and a notice of a case number from the Australian Federal Police.

Only Windows systems can be infected by the ransomware. When an unsuspecting user clicks on the download button on any of these notices, the ransomware payload is downloaded and installed, according to senior researcher fellow Nick FitzGerald of anti-virus company ESET.

TorrentLocker then follows the path taken by other ransomware, encrypting files on the infected user's Windows system and demanding payment.

But, Fitzgerald points out, there are some differences.

"These newer TorrentLocker variants have really upped the ante," he said. "Earlier variants, just like other crypto-ransomware, encrypted files of specific types, as determined by their filename extension.

afp tlocker

"The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted. This new approach to encrypting nearly all files on a system will have ramifications for the kind of back-ups needed to properly restore a system that has been encrypted by TorrentLocker."

FitzGerald said TorrentLocker was distributed through email which linked to a webpage where there was a message claiming that a document, purportedly a bill or a tracking code, should be downloaded.

nzpost tlocker

"If the malicious "document" is downloaded and opened by the user, TorrentLocker is executed. It starts its communication with the C&C server and encrypts the victim's files," he said.

Recent TorrentLocker campaigns have localised Web pages for 22 countries.

"Some examples of TorrentLocker impersonations between April and August have used major Australian and New Zealand organisations such as Australia Post, the Australian Federal Police and New Zealand Post as lures in their spam to catch their potential victim’s attention," FitzGerald said.

auspost tlocker

"As always, unexpected offers, and especially claims of criminal behavior, received via email should be treated with great scepticism," he said.

"Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email."


Download an in-depth guide to managing a healthy, motivated and energetic workforce without breaking the bank.


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.






Join the iTWire Community and be part of the latest news, invites to exclusive events, whitepapers and educational materials and oppertunities.
Why do I want to receive this daily update?
  • The latest features from iTWire
  • Free whitepaper downloads
  • Industry opportunities