Attackers Impersonate AFP And Australia Post To Spread Ransomware

Image: ESET

Ransomware emails pretending to be from legitimate organisations were distributed across 22 countries, including Australia. These emails lured victims into clicking through to fake websites to download malicious content. Two of the organisations involved include the Australian Federal Police (AFP) and Australia Post. Here's what you need to know.

Security vendor ESET has discovered that the emails were sent between April and August this year and the ransomware involved belong to the TorrentLocker family. It is a crypto-ransomware, also known as CryptoLocker, that was first seen back in 2014. While the ransomware campaign this time around looks similar to the old one, where localised spam emails were distributed, there are a few changes under the hood.

The emails still contain URLs that take users to a fake website to download a malicious executable file, but attackers have since added layers of redirection before the final destination. According to ESET:

"The link in the spam email message now leads to a PHP script hosted on a compromised server. This script checks if the visitor is browsing from the targeted country and, if so, redirects to the page where the next stage of this malware is downloaded. Otherwise, the visitor is redirected to Google. Also, the downloaded ZIP file now contains an obfuscated JavaScript file which will download and execute the TorrentLocker PE file."

Another new characteristic is that it encrypts all files expect for a few essential ones that allow the targeted system to keep running.

"This new approach to encrypting nearly all files on a system will have ramifications for the kind of backups needed to properly restore a system that has been encrypted by TorrentLocker," ESET senior research fellow Nick FitzGerald said.

As mentioned, among the legitimate organisations copied by attackers, the APF and Australia Post is on the list. You can see an example of one of the fake AFP websites above.

To avoid falling victim to this type of ransomware attack, ESET recommends the following steps:

  • Always back up your data. If you have conducted regular backups, you will be able to restore what is lost. Ensure that at least one set of backups is not connected to your computer during normal operations.
  • Show hidden-file extensions. If you see an extension with'.docx.exe', there’s something wrong with the file. Showing the extensions makes it easier to spot malicious files.
  • Filter EXEs in email. If you receive an email with .EXE files, get your email to filter the executable files or only use ZIP files with password protection if you are using .EXE files.
  • Disable files running from AppData/LocalAppData folders. There are rules within windows to disallow a particular, notable behaviour used by Cryptolocker, which is to run its executable from the App Data or Local App Data folders.
  • Disable Remote Desktop Protocol. If you do not require the use of RDP, you can disable RDP to protect your machine from Filecoder and other RDP exploits.
  • Patch or Update your software. This will ensure you’re protected from the latest threats.
  • Disconnect from WiFi or unplug from the network immediately. If you are being infected by ransomware, disconnect from your network immediately.
  • Use System Restore to get back to a known-clean state. Make sure that you also have removed executables files as some might still be present on the system.
  • Set the BIOS clock back. While most ransomware is generally set to 72 hours before raising the price, you can save time by setting the BIOS clock back to a time before the 72-hour window is up.
  • Do not pay the ransom. There’s no guarantee your data will be released or properly decrypted.

The last point is a contested one. In July, Lifehacker Australia spoke with RSA CTO Zulfikar Ramzan who said, in some instances, it may be worth forking out the money to pay the ransom.


Comments

Be the first to comment on this story!

Trending Stories Right Now