Deakin University and Trend Micro threat researchers take on Australian strains of CryptoLocker

SYDNEY, 12 January 2015 – Trend Micro threat researchers in Australia have teamed up with Deakin University to fight the Australian-specific variants of CryptoLocker that have been spreading across the country at a rapid rate since September last year. CryptoLocker encrypts victims’ files and demands AUD 598 in exchange for access back to the files. The ransom demand doubles after 96 hours.

In a report released today, Trend Micro and Deakin University researchers monitored and analysed trends related to the CryptoLocker outbreaks occurring in Australia between 1 November and 30 November 2014. Throughout November, the study found more than 10,000 hits to redirection URLs, all considered CryptoLocker incidents.  

The Australian strains of CryptoLocker work in much the same way as those seen in North America and Europe:

·       First, the victims receive a spam email with hyperlinks, indicating parcel tracking information or a penalty notice waiting for them at an ‘official website’

·       After clicking the hyperlink, the victims are redirected to a web page that is convincingly realistic, mimicking the official web pages of organisations such as the Australia Post and the Office of State Revenue New South Wales, including the domain name

·       The web page then delivers the malware payload to the victims’ computers through abused legitimate file-hosting sites

·       The malware proceeds to encrypt PDF and Microsoft® Word® documents, and other commonly used files

·       Once the victims’ files are encrypted, the malware requires Bitcoin payment of at least AUD 598 so the said victims can recover their files

In addition to monitoring and analysing the prevalence and impact of Australian CryptoLocker attacks, Trend Micro and Deakin University are working to stop the attacks. On the days when outbreaks occur, Trend Micro has supplemented its internal processes with real-time alerts sent to Deakin University researchers who do further analysis of the outbreaks while the malicious sites are still active.  

“CryptoLocker is a threat that is increasingly affecting individuals and Australian businesses. We teamed up with Deakin University because it required urgent attention,” said Dr. Jon Oliver,a senior threat researcherat Trend Micro Australia. “This strain of CryptoLocker tailored for Australian victims started in the second half of 2014, and continued up to Christmas Eve. The outbreaks have stopped for the New Year break, but will almost certainly continue in the New Year.”

“These attacks are technically sophisticated and specifically aimed at Australians and have been significantly increasing since July with an enormous impact on businesses and individuals,” said Professor Yang Xiang who leads the Deakin University research team.

In the study, researchers at Trend Micro and Deakin University found that the Australian variant of the CryptoLocker employed a variety of techniques to avoid detection. 

“The CryptoLocker attacks are adapting to security solutions, evading security measures in the next outbreak. Relying on a single aspect of detection can miss the next outbreak,” continued Dr. Oliver. “Multi-layer filtering, which is also described as Defence-in-Depth, is a more robust approach.”

“Many Australian businesses are being targeted and affected by CryptoLocker, from very large organisations to the very small; no one seems to be exempt,” said Mark Sinclair, commercial sales director at Trend Micro Australia and New Zealand. “The whole industry is suffering so our work with Deakin University is vital to get on the front foot and stop the Australian strain of CryptoLocker in its tracks.”

After receiving a spam email and clicking the URL included within, victims are redirected to a phishing web page where they submit CAPTCHA responses and are delivered a .ZIP file. Running or opening that .ZIP file leads to all images, documents, and personal data on the computer and shared drives being encrypted. The malicious software then demands that the victims pay to retrieve their files.

The full report is available at the following link http://www.trendmicro.com.au/cloud-content/au/pdfs/security-intelligence/white-papers/wp-australian-web-threat-landcsape-2014.pdf

Further information about Trend Micro’s Smart Protection Network is available here.

About the report

Australian Web Threat Landscape (2014): Observation of CryptoLocker Attacks was developed by Christopher Ke, Jonathan Oliver, and Yang Xiang. The scope of the research monitored the web threat trends and outbreaks occurring in Australia. The sampling data in this analysis was collected between 1 November and 30 November 2014, processing data from the WRS (Web Reputation Solution) and the Smart Protection Network™ systems developed by Trend Micro.

About Trend Micro

Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Built on 25 years of experience, our solutions for consumers, businesses, and governments provide layered data security to protect information on mobile devices, endpoints, gateways, servers, and the cloud. Trend Micro enables the smart protection of information, with innovative security technology that is simple to deploy and manage, and fits an evolving ecosystem. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection Network infrastructure, and are supported by more than 1,200 threat experts around the globe. For more information, visit TrendMicro.com.au.