Spammers deploying the TorrentLocker ransomware are so good at targeting victims that their poison emails hit the mark more frequently than those sent by legitimate software companies and professional marketers.

Trend Micro's just analysed the malware in a report titled TorrentLocker Landscape: Targeting Even More Victims in Australia (PDF) and among other things finds that emails used to lure suckers into the scam "were seemingly delivered to a carefully selected address list with less than 1% sent to invalid ones [email addresses]."

A quick glance at statistics published by email marketing outfit Mailchimp suggests that paces TorrentLocker's purveyors in very good company: the telecommunications industry and software industry each send more mail to non-existent email addresses. Even the marketing and advertising industry's emails bounce 0.88 per cent of the time.

Trend m

Trend Micro's study also finds that about 60 percent of TorrentLocker victims are based in Australia, perhaps because a campaign delivered in May offered "evidence"of a speeding ticket issued by the Australian Federal Police.

The security firm also warns that the ransomware is increasingly being aimed at enterprises.

Torrentlocker is using standard malware obfuscation and verification tricks to avoid anti-virus and ensure victims are indeed warm bodies.As Trend Micro explains:

"A CAPTCHA field requires users to input letters or numbers, giving cyber criminals a chance to verify that there is an actual person using the infected systems. In addition, the sandbox and web reputation evasion technique allows TorrentLocker to detect antivirus mechanisms that detect drive-by-downloads. TorrentLocker also randomises the names of the scripts used on the compromised servers. An example of how TorrentLocker evades web reputation is its ability to keep the time to live records very short. The web service runs on the same server as the DNS service. Hence, once the server is shut down, both services are turned off."

TorrentLocker and Cryptowall are widely considered to be the nastiest of the ransomware families with most variants having no known encryption implementation flaws that could be exploited to help restore data without paying for the key. ®