Over the period from April to August, the ransomware has used fake notices about parcels due from Australia Post and New Zealand Post, and a notice of a case number from the Australian Federal Police.
Only Windows systems can be infected by the ransomware. When an unsuspecting user clicks on the download button on any of these notices, the ransomware payload is downloaded and installed, according to senior researcher fellow Nick FitzGerald of anti-virus company ESET.
TorrentLocker then follows the path taken by other ransomware, encrypting files on the infected user's Windows system and demanding payment.
"These newer TorrentLocker variants have really upped the ante," he said. "Earlier variants, just like other crypto-ransomware, encrypted files of specific types, as determined by their filename extension.
"The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted. This new approach to encrypting nearly all files on a system will have ramifications for the kind of back-ups needed to properly restore a system that has been encrypted by TorrentLocker."
FitzGerald said TorrentLocker was distributed through email which linked to a webpage where there was a message claiming that a document, purportedly a bill or a tracking code, should be downloaded.
"If the malicious "document" is downloaded and opened by the user, TorrentLocker is executed. It starts its communication with the C&C server and encrypts the victim's files," he said.
Recent TorrentLocker campaigns have localised Web pages for 22 countries.
"Some examples of TorrentLocker impersonations between April and August have used major Australian and New Zealand organisations such as Australia Post, the Australian Federal Police and New Zealand Post as lures in their spam to catch their potential victim’s attention," FitzGerald said.
"As always, unexpected offers, and especially claims of criminal behavior, received via email should be treated with great scepticism," he said.
"Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email."