Coindesk Logo

98.6% of TorrentLocker Victims Refuse to Pay Bitcoin Ransom

98.6% of TorrentLocker Victims Refuse to Pay Bitcoin Ransom

98.6% of TorrentLocker Victims Refuse to Pay Bitcoin Ransom

A new report into the effects of TorrentLocker malware has found that 98.55% of victims do not pay the bitcoin ransom.

A new report into the effects of TorrentLocker malware has found that 98.55% of victims do not pay the bitcoin ransom.

A new report into the effects of TorrentLocker malware has found that 98.55% of victims do not pay the bitcoin ransom.

AccessTimeIconDec 17, 2014, 1:49 PM
Updated Aug 18, 2021, 3:31 PM

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

98.55% of victims targeted by TorrentLocker do not pay the virus' bitcoin ransom, according to a new report.

TorrentLocker (aka Win32 or Filecoder.DI) is a strain of bitcoin ransomware that works by encrypting users' files. Victims are requested to pay up to 4 BTC to decrypt their documents, though this figure can vary.

The report, authored by Marc-Etienne M Léveillé for security firm ESET, found that only 570 out of 39,760 infected systems were given access to decryption software upon paying the full ransom.

"In other words 1.44% of all infected users we have identified have paid the ransom to the cybercriminals," Léveillé writes, adding: "There are also 20 pages showing that bitcoins were sent but access to the decryption software wasn’t given because the full amount wasn’t paid."

Attackers targeted specific regions

Spam campaigns designed to distribute TorrentLocker malware were targeted at specific countries, including Austria, France, Germany, Italy and the UK, the report found.

Turkey and Australia were particularly hard hit by the malware campaign.

TorrentLocker chart

According to data from C&C servers, more than 284 million documents have been encrypted by the ransomware so far.

While very few victims chose to pay the ransom, the distributors of TorrentLocker, who are also suspected of being behind the Hesperbot banking trojan, have made a substantial amount of money – between $292,700 and $585,401.

TorrentLocker chart 2

The report notes that ESET identified the first traces of TorrentLocker in February 2014. However, its developers reacted to online reports and changed the way the malware uses AES encryption after a method of decrypting the key was found.

Crypto-ransomware remains a threat

Cybercriminals have been targeting unsuspecting victims with crypto-ransomware for more than a year, with CryptoLocker the leading virus in the field.

In June 2014, international authorities managed to cripple the CryptoLocker onslaught by disabling GOZeuS, the P2P network used to control the network. By the time this blow was struck, CryptoLocker was blamed for causing $27m in damages.

Although TorrentLocker has had limited reach compared to CryptoLocker, in late November the virus was infecting computers at a rate of 691.5 per day. The average TorrentLocker ransom stands at 1.334 BTC with a rebate, or 2.668 BTC afterwards. The exact figure collected by the attackers remains unclear.

Léveillé's report explains why further analysis is difficult:

"It is hard to say who paid the full amount as opposed to the rebated (half price) amount. Because of this, we decided to use a range to quantify the profit made by the criminals. The total amount of bitcoins ranges between 760.38 BTC and 1,520.76 BTC. With the value of the bitcoin on November 29th 2014 (1 BTC valued at $384.94), it means that they swindled victims out of an amount between $292,700 and $585,401."

While questions remain about how to stop the operators behind botnets like TorrentLocker, Léveillé suggests one way to remedy infections in the meantime: an offline backup.

TorrentLocker charts via ESET/Marc-Etienne M Léveillé, ransomware image via Shutterstock.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.