back to article TorrentLocker ransomware pestilence plagues Europe, bags $500k

TorrentLocker, one of the most widespread pieces of ransomware, has claimed thousands of victims since it first surfaced in February 2014, according to new research. Out of 39,670 infected Windows systems, 570 or 1.45 per cent have paid the ransom to criminals to decrypt their locked-up files, according to infosec biz ESET. …

  1. Khaptain Silver badge

    Interweb Licence for The Flox

    Should the heardables, sheeple, collectively known as "The Flox" be required to obtain a licence before being allowed to go near the interwebs ?

    In all honestly, many people were given the key to a technology/toolkit for which they have had no prior training, are completely unaware of the abuse that can and is done, and are simply lost in the miriad of abreviations and keywords. ( Those in a business environment have less excuses, there should be an IT bod in the vicinity to help explain things).

    A static textfile or an executable have no difference for the Flox, they just click on the damned thing and a program magically opens up displaying the content/performing the task. Why should they be expected, "inherently", to know the difference ?

    By default, Windows turns of File Extensions which makes things even more vague. I can understand the anguish of those that receive a file named "Electricity Bill.pdf.docx.exe"

    I understand that the OS has a lot to answer for but the user has his role to play as well.

    The user interface of a vehicule, road signs, basic laws are relatively simple but we are obliged to take lessons and pass a licence. Why is it different for computer use, which for the user, is far more complex ?

    1. malle-herbert Silver badge
      Trollface

      Re: Why is it different for computer use ?

      Well, first of all... you can't kill someone over standard tcp/ip...

      1. Crisp Silver badge

        Re: you can't kill someone over standard tcp/ip...

        Not easily...

      2. Khaptain Silver badge

        Re: Why is it different for computer use ?

        >Well, first of all... you can't kill someone over standard tcp/ip...

        That depends on how well you can manage Stuxnet and/or Regin.

      3. LucreLout Silver badge

        Re: Why is it different for computer use ?

        well, first of all... you can't kill someone over standard tcp/ip

        Not that I've done so much as a moments proper research, but.... I vaguely recall it being possible to hack and adjust pacemakers and other implanted devices due to below par security models and lack of any updating/patching?

    2. Anonymous Coward
      Anonymous Coward

      Re: Interweb Licence for The Flox

      See what you are saying but temper it with this.

      User opened a zip file from an email then tried to execute the enclosed executable (.scr) file.

      User is software programmer, many years experience, local admin on his pc, trusted and one of the last people I was watching for some "I didn't think!", mistake. I asked him why he tried to execute the windows file in the email and his response "to see what happened" a part of me responsible for security issues packed it's bags said "fuck this" and left at that stage.

      The attack that will most likely get us will be from the direction we are not watching.

    3. Crazy Operations Guy Silver badge

      "there should be an IT bod in the vicinity to help explain things"

      Well, the biggest reason people tend not to ask the IT folk is that far too many times when they ask, many IT folk respond with condescension and ego. An attitude that you have perfectly demonstrated in your comment (Although you do seem to have a thing for sheep).

      At least this is the most common complaint that I've heard from the employees where I work ever since I fell to the Management Side of the force and got my lobotomy / MBA. Speaking with CIOs in other companies, the story isn't all that different.

  2. Cipher

    and not a word on mitigation...

    ...via software or the group policy editor.

    A solution

  3. James O'Shea Silver badge

    I don't get it

    I have received dozens of 'this is the invoice' or 'this is the payroll file' or 'we have a package for you' emails with what are supposed to be DOCXs or PDFs or ZIPs in them... and given that I _know_ that I didn't order anything from anyone with that name, or engage an outside payroll service, and I'm not expecting a package and besides USPS, UPS, and FedEx don't send out that kind of message, I simply dump such emails into the trash and delete them. Sophos screams bloody murder about them about 40% of the time, anyway (Sophos detects inbound malware pretty much all the time in the ZIPs, not so much in the DOcXs or PDFs) so why, why, WHY would anyone open any of those things? Now, as i have multiple email accounts and have seen the exact same come-on show up in two or three accounts within minutes of each other, it might be more obvious that there's a problem. But anyone with even a modicum of sense should know if they have an outside payroll service, and what the email address of that service is, so that they can just look at the damn inbound mail and SEE that it's not from their guys.

    I don't get it. Even when I was a newbie (more years ago than I like to admit) I _never_ just clicked on stuff in mail, I _always_ had a look at the headers to see who sent it... And, yes, the first thing I do on a WinBox (and, now, on a Mac, as Apple has caught the 'hide extensions' disease, too) is to turn 'hide extensions' OFF so that i can see that little .EXE at the end. Or that .DOCM or whatever. Why is it that umpti-ump _THOUSAND_ people simply don't _look_ at whatever it is _before_ being a happy clicker? WHY?

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't get it

      We have no voicemail or internal fax services, haven't had in at least the 5 years I've been here.......yet people longer serving than me are still opening these emails

      sometimes stupidity has no boundaries

    2. Amorous Cowherder

      Re: I don't get it

      There are some basic common sense rules that should be printed on a big sheet of hi-vis yellow paper and put into every PC box before it's shipped off to the Apple store and PC World, just to remind every one of us that, "Eternal vigilance is the price of freedom."

    3. ecofeco Silver badge

      Re: I don't get it

      My quite elderly parents will answer the phone or even the door to complete strangers.

  4. bitmap animal
    Unhappy

    Latest batch are quite realistic

    We've been getting "Card Receipt" emails from "tracey.smith@aquaid.co.uk" today, about 40 have arrived so far for several of us. They have a DOC attachment and are not blocked by Kaspersky or ESET. The email looks genuine, even the headers seem OK. A couple of days ago I briefed everyone not to open anything like this as we have been getting inundated by similar emails recently and if they do open it they are to pull their LAN cable immediately and report it.

    One of our people was waiting for a receipt from a Tracey and not reading it too closely opened it. Word is set to disable macros so I presume the blank document did nothing. They pulled their power cable and came to see me in a panic.

    The past few days have been a right PITA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Latest batch are quite realistic

      I saw your comment and thought that it looked familiar, as I was in SA clearing out some cruft earlier and there were hundreds of her mails. None have reached actual users however.

      I think perhaps you need to work on your spam filters a little...

      From: Tracey Smith <tracey.smith@aquaid.co.uk>

      To: XXXXX

      Subject: [SPAM] Card Receipt

      1. Anonymous Coward
        Anonymous Coward

        Re: Latest batch are quite realistic

        Last five days worth here (many multiples with just number changes -XXX)

        NOT CRYPTO (I don't think) but just hints of what subjects are currently in favour.

        Internet Fax Job

        Card Receipt

        REMITTANCE DETAILS refXXXXXXXXXXX

        Invoice as requested

        DOC-file for report is ready

        BACS Transfer : Remittance for JSAXXXGBP

        You've received a new fax

        [SPAM] Employee Documents - Internal Use

        These are to an old email that was on a zombie list, gives me a clue what to look for on the real accounts that have better (but not bullet proof) filtering.

    2. leexgx

      Re: Latest batch are quite realistic

      been getting these as well (surprised that the spam block list that most servers use has not been binning it before it gets to the mail server inbox or spam)

  5. nakedtornado

    Got Caught

    The company I work for got caught with this.

    Email with subject "Monthly Statement" from a known supplier was opened by someone in A/P, so it's hard to blame them.

    Locked about 4TB of Data but was mainly word/excel/eps files that wouldn't be updated that frequently. Didn't effect SQL or mailboxes. Restored from previous nights backup. Absolute pain in the arse and took me a good few days to get everything back. Most users didn't really notice a problem.

    1. VinceH Silver badge

      Re: Got Caught

      "The company I work for got caught with this.

      Email with subject "Monthly Statement" from a known supplier was opened by someone in A/P, so it's hard to blame them."

      I know that one of my clients has spotted emailed 'invoices' claiming to come from one of their regular suppliers - and apparently the email looks pretty spot on compared to the real thing, so it would be forgivable if they'd made the mistake of opening the attachment.

      (The biggest giveaway for them was the account number didn't match - that the invoice is usually a PDF, and this was a .doc file, undoubtedly containing a dodgy macro, probably wouldn't have been noticed if it hadn't been for the account number.)

    2. ecofeco Silver badge

      Re: Got Caught

      Same here, but it was the one making the rounds last summer.

      We managed to stop it at 8 machines.

  6. phil dude
    Linux

    ZFS, BTRFS...COW....

    I now have ZFS and snapshots a la NETAPP on my new monster workstation. BTRFS for the OS...

    Come on, I don't care if you use Windoze or OSX but put your "internet facing user" storage on COW already!!

    You know it makes sense, in the same way as tape still does (my next project).

    P.

  7. JamesTQuirk

    I posted this in a post on routers, but maybe it should of been here ....

    Last Night, my home network was attacked, one machine, which is always online ( Transfer Time: 175 Days 22:44 Hours (99.8%)), running Clamwin or win ver of Linux ClamTK, was knocked offline, but not compromised, However the HP DV6 I7, went nuts all of a sudden, fans kicked up, the trackpad started to glow red ... I thought "what u doin", and managed to catch Cryptolocker @ Work, Process explorer killed its processes & desendants, msconfig removed startups, stopped machine, pulled HDD, replace it with fresh one & rebuilt HP, but with Clamwin, So I have a 320gb HDD here with cryptolocker half way thru its nasty, all files on drive are accessible under Xubuntu as ext USB, Windows security is a laugh !

    So if I can disassemble this thing & work out how it talks backs to them, & send it back to them dressed the way they expect, How many zero's should I add to his ransom ?

    1. leexgx

      unless you catch the small group (probably 20-50 people making crap load of money) its unlikely you get them as the servers are running over TOR nowadays

      1. JamesTQuirk

        you are right, leexgx, that's where the trail ended, but still goin over disassembled code, with a fine tooth grep .... Maybe there is something, they forgot, left in, I can use ....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019