Games changing: new version of TeslaCrypt mimics “a big brother”

These days, ransomware-related news stories look a bit like, well, war chronicles. In fact, this is the consequence of an elevated attention to this particular kind of threat; similar things occurred in early the 2000s when net-worms thrashed the Web.

These days, ransomware-related news stories look a bit like, well, war chronicles. In fact, this is the consequence of an elevated attention to this particular kind of threat; similar things occurred in early the 2000s when net-worms thrashed the Web. Today’s malware can be equally damaging, but first and foremost it exists to extract profit from the victims. In this post we’ll take a look at a new version of TeslaCrypt ransomware, which recently started mimicking CryptoWall, previously featured on our blog.

Copycat

TeslaCrypt is a relatively new variant of the much-dreaded CryptoLocker, which made a lot of buzz after it had been discovered targeting online gamers.

Criminals have discovered yet another source of relatively easy money – hardcore gamers are expected to pay willingly for regaining access to their content – even though in most online games the crucial player-unique data is stored in the cloud, not locally.

Still, this CryptoLocker variant, now called TeslaCrypt, can encrypt any other important files, so the gamers are not the only potential victims.

The new version, intercepted recently by Kaspersky Lab researchers, has two distinct new features: a new encryption scheme and a new “warning message”.

Actually, the latter is anything but new: For some wicked reason the TeslaCrypt operators have “borrowed” the warning screen from Cryptowall.

Why? Fedor Sinitsyn of Kaspersky Lab, in an analysis of the new ransomware, speculates that the attackers “wanted to impress the gravity of the situation on their victims”, since the files encrypted by CryptoWall cannot be cracked without knowing a secret key – while with TeslaCrypt it is possible.

Although, this may become a bit more difficult since the encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm, which has been implemented in versions 0.3.x; in this version it seems more relevant because it serves a specific purpose: enabling the attackers to decrypt files using a ‘master key’ alone.

The detailed analysis is available at Securelist.

What is important here for businesses?

In a general sense, TeslaCrypt is not much different than other recent ransomware as a threat. It has some evasion features, communicates with C&C servers over the web – although the servers themselves are in Tor network (tor2web services are used here). It’s a much a less scary beast than it wants to appear: It scares the victims with 2048-bit RSA encryption, but there’s none. In fact, there’s a 256-bit encryption used, and sometimes the encrypted files can be recovered without paying anything. But just sometimes.

The more appropriate way to deal with this is to use the set of well-known measures: regularly updated software, up-to-date anti-malware solution with exploit prevention functionality – this is especially important since TeslaCrypt is known to be dropped by a number of exploit kits.

And first and foremost, there must be “cold storage” backups in place It is the best way to prevent all kinds of encrypting ransomware from damaging your data.

Tips