Home Security TorrentLocker ransomware uses AFP, Australia Post as lure

TorrentLocker ransomware uses AFP, Australia Post as lure

The makers of the TorrentLocker ransomware appear to be using well-known organisations in order to make their job of extracting money from unsuspecting users easier.

Over the period from April to August, the ransomware has used fake notices about parcels due from Australia Post and New Zealand Post, and a notice of a case number from the Australian Federal Police.

Only Windows systems can be infected by the ransomware. When an unsuspecting user clicks on the download button on any of these notices, the ransomware payload is downloaded and installed, according to senior researcher fellow Nick FitzGerald of anti-virus company ESET.

TorrentLocker then follows the path taken by other ransomware, encrypting files on the infected user's Windows system and demanding payment.

But, Fitzgerald points out, there are some differences.

"These newer TorrentLocker variants have really upped the ante," he said. "Earlier variants, just like other crypto-ransomware, encrypted files of specific types, as determined by their filename extension.

afp tlocker

"The recent variants turn that approach on its head, encrypting all files except for a few types necessary to allow the system to keep working after the file system has been encrypted. This new approach to encrypting nearly all files on a system will have ramifications for the kind of back-ups needed to properly restore a system that has been encrypted by TorrentLocker."

FitzGerald said TorrentLocker was distributed through email which linked to a webpage where there was a message claiming that a document, purportedly a bill or a tracking code, should be downloaded.

nzpost tlocker

"If the malicious "document" is downloaded and opened by the user, TorrentLocker is executed. It starts its communication with the C&C server and encrypts the victim's files," he said.

Recent TorrentLocker campaigns have localised Web pages for 22 countries.

"Some examples of TorrentLocker impersonations between April and August have used major Australian and New Zealand organisations such as Australia Post, the Australian Federal Police and New Zealand Post as lures in their spam to catch their potential victim’s attention," FitzGerald said.

auspost tlocker

"As always, unexpected offers, and especially claims of criminal behavior, received via email should be treated with great scepticism," he said.

"Should you have been expecting such an email anyway, rather than clicking the links in the email, enter the homepage address of the organisation in your browser’s address bar, or visit it via one of your own bookmarks, and follow the options provided at the site to locate your reputedly ‘missing’ parcel, ‘unpaid fine’, etc using the apparent reference number from the email."


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.