Italian Councils Paralyzed By Bitcoin Ransomware Virus

Municipal councils across Italy have seen their PC files encrypted by a ransomware virus demanding Bitcoin payments to decrypt the files. Ransom demands are starting at around €400 Euros and failure to pay the amount within three days doubles the ransom.


Photo: Atana / Flickr

Officers in Bussoleno, a small town in Northern Italy, could only recover important data by paying the ransom with Bitcoin. A Reddit story revealed this is the first instance in which a public office has been forced to acquire Bitcoin.

Local newspaper Corriere della Sera said dozens of regional office workers are unable to access several files, issue certifications or pay bills until they pay the digital ransom.

After launching from St Petersburg, Russia last Wednesday, the ransomware spread rapidly through the computer network of the victims via phishing attacks. While some systems were updated with anti-virus software to block it, many remain at risk.

How the Ransomware Functions

After gaining access to the victim’s computer, the ransomware sends a malicious .exe file named with a long string of characters to all contacts in the victim’s address book.

When opened by a contact, the program encrypts all photos, .pdf files and Microsoft office documents on their server and machine, rendering them useless.

After the block is enabled a hoax anti-virus prompts users to buy decoding software, accompanied by step-by-step instructions required to complete the transaction and process. The hackers even included ‘customer support’ contact details for those not familiar with the use of Bitcoins.

“After we paid they also had the audacity to invite us to contact them in case we have other problems,” said a town clerk in Bussoleno, Turin.

Italian consultancy Di.Fo.B, who deal with cyber crime, said the Bitcoin addresses listed by hackers have made $100,000 from victims in the last several days. Di.Fo.B expects this figure to rise as public offices unaware of the virus are attacked.

This particular virus is a variant of the popular CryptoLocker, and is dubbed ‘TorrentLocker’.

It spreads via email attachments similar to the Ebola malware and encrypts files with RSA public-key cryptography, with the private key only present in the malware’s servers. When a user opens the attachment that’s encrypted by the virus, a message demands a Bitcoin ransom in order to decrypt the data.

The Scale of CryptoLocker

Last November, the UK National Cyber Crime Unit warned about Cryptolocker ransomware contained in attachments and zip files in emails.

The virus targets SMEs, and the crime agency revealed millions of email accounts were at risk. After seeing a large majority of UK buyers were willing to secure enough Bitcoins to pay the ransomware, trading site BitBargain blocked all new users for the fear of money laundering.

ZDNet reported in December 2013 that four Bitcoin addresses posted by users who were the victims of CryptoLocker showed movement of 41,928 BTC between October 15 and December 18. The value was US$27 million.

Finally, University of Kent researchers published a survey that said 41 percent of the British victims decided to pay the ransom, a figure larger than expected.