{"id":10860,"date":"2015-12-15T09:00:05","date_gmt":"2015-12-15T14:00:05","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=10860"},"modified":"2020-02-26T18:58:34","modified_gmt":"2020-02-26T16:58:34","slug":"teslacrypt-strikes-again","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/teslacrypt-strikes-again\/10860\/","title":{"rendered":"TeslaCrypt: Round Three"},"content":{"rendered":"<p>Malware development and our attempts to fight it sometimes remind us of a deep TV series: one can trace how \u201ccharacters\u201d acquire new skills, overcome hardships and make new achievements. It seems that now the third season of the TeslaCrypt series is released.<br>\n<a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/12\/06023448\/teslacrypt-ransomware-news-FB.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/103\/2015\/12\/06023448\/teslacrypt-ransomware-news-FB.jpg\" alt=\"TeslaCrypt: Round Three\" width=\"1280\" height=\"1280\" class=\"aligncenter size-full wp-image-10863\"><\/a><\/p>\n<p><a href=\"https:\/\/www.kaspersky.co.za\/blog\/teslacrypt-ransomware-targets-gamers\/8021\/\" target=\"_blank\" rel=\"noopener\">TeslaCrypt is first discussed<\/a> in February 2015, when this Trojan compromised PCs of certain groups of gamers encrypting their files. It asked for about $500 for bringing data back to the owners.<br>\nThe newly-released Trojan was created on the base of another dangerous ransomware called CryptoLocker. Back then criminals used a relatively weak encryption algorithm, which could be hacked. The Trojan stored decryption keys in a separate file on the victim\u2019s hard drive, so one could find them without effort. In the end users of <a href=\"http:\/\/www.bleepingcomputer.com\/virus-removal\/teslacrypt-alphacrypt-ransomware-information#tesla\" target=\"_blank\" rel=\"noopener nofollow\">BleepingComputer<\/a> forum created <a href=\"http:\/\/download.bleepingcomputer.com\/BloodDolly\/TeslaDecoder.zip\" target=\"_blank\" rel=\"noopener nofollow\">TeslaDecoder<\/a> software, which helped victims decrypt their files without any ransom. <\/p>\n<p>https:\/\/twitter.com\/bitcoinfirehose\/status\/601424147588218880<\/p>\n<p>It would be wonderful, if the first season would flop and thereby the series would come to the end. But cybercriminals expanded it and released TeslaCrypt 2.0 \u2014 an updated and upgraded version, which was <a href=\"https:\/\/securelist.com\/blog\/research\/71371\/teslacrypt-2-0-disguised-as-cryptowall\/\" target=\"_blank\" rel=\"noopener\">detected by Kaspersky Lab<\/a> in July, 2015. This version uses a significantly improved encryption scheme, which is still impossible to hack. Moreover, the updated malware doesn\u2019t store keys in a separate file \u2014 it uses the system registry instead. <\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"nl\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/news?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#news<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/gaming?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#gaming<\/a> TeslaCrypt 2.0 ransomware: stronger and more dangerous <a href=\"https:\/\/t.co\/agvUXU5J5t\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/agvUXU5J5t<\/a> <a href=\"http:\/\/t.co\/rIZ1XqfHw6\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/rIZ1XqfHw6<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/620983993685643265?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 14, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Victims who have found keys somehow can still use the TeslaDecoder to bring their files back. But without a key this useful software turns to be absolutely helpless.<br>\nRecently, a new &lt;s&gt;season&lt;\/s&gt; epidemic took place. TeslaCrypt 2.2.0 entered \u2013 stage left. Currently, a malicious mailing campaign is in full effect: users all over the world receive fake payment notifications. Deceived people install Angler <a href=\"https:\/\/www.kaspersky.co.za\/blog\/exploits-problem-explanation\/9448\/\" target=\"_blank\" rel=\"noopener\">exploit kit<\/a>, which downloads the new version of TeslaCrypt. A lot of corporate users fall for these fake emails, as it\u2019s quite a common thing for almost any employee to forget about one of thousands invoices. <\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/HowTo?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#HowTo<\/a>: Open Unknown Attachments <a href=\"http:\/\/t.co\/nW1DrX9CNr\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/nW1DrX9CNr<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/antivirus?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#antivirus<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/469142066782404609?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">May 21, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Besides, cybercriminals launched a wide-scale <a href=\"https:\/\/blog.malwarebytes.org\/hacking-2\/2015\/11\/catching-up-with-the-eitest-compromise-a-year-later\/\" target=\"_blank\" rel=\"noopener nofollow\">campaign to infect WordPress websites<\/a>, including the blog for the UK\u2019s newspaper, The Independent. Angler was once again to blame for this incident. The exploit downloaded either TeslaCrypt or another Trojan called BEDEP, which in turn downloaded the infamous CryptoLocker.<br>\n<a href=\"http:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/blog-of-news-site-the-independent-hacked-leads-to-teslacrypto-ransomware\/?linkId=19435804\" target=\"_blank\" rel=\"noopener nofollow\">According to Trend Micro<\/a>, the blog was infected on November 21. Employees solved the problem and recently (December 9) redirected users to the main page of the newspaper.<br>\nRepresentatives of The Independent <a href=\"http:\/\/www.bbc.com\/news\/technology-35050226\" target=\"_blank\" rel=\"noopener nofollow\">stated<\/a>, that only a few visited infected page as it was very old and that there were no signs that anybody could have been infected from the the Trojan on their site. With that said, the total number of users, who were directed to the page with the Trojan hit 4,000+ per day. If visitors did not have fresh Adobe Flash updates, Angler could have used the vulnerability and infected their systems.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">News with a side of <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> \u2014\u201cThe Independent\u201d blog hacked, leads to TeslaCrypt: <a href=\"https:\/\/t.co\/4kFz0JPv9Y\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/4kFz0JPv9Y<\/a><\/p>\n<p>\u2014 Trend Micro (@TrendMicro) <a href=\"https:\/\/twitter.com\/TrendMicro\/status\/674611965583564800?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This time cyber criminals have changed their aim, and targeted companies, not home users. According to <a href=\"https:\/\/heimdalsecurity.com\/blog\/security-alert-teslacrypt-infections-rise-spam-campaign-hits-companies-europe\/\" target=\"_blank\" rel=\"noopener nofollow\">Heimdal Security<\/a>, new ransomware terrorizes European corporations. We\u2019ve also tracked a huge splash of activity in Japan. It\u2019s also impossible to tell which country will be the next victim.<br>\nIf you want to protect yourself from ransomware or at least decrease the potential harm, we highly recommend you to follow these tips. <\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a> is <a href=\"https:\/\/twitter.com\/hashtag\/digital?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#digital<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/extortion?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#extortion<\/a> \u2013 tips to avoid falling victim to it <a href=\"https:\/\/t.co\/HoCO7kXuhX\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/HoCO7kXuhX<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/itsec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#itsec<\/a> <a href=\"https:\/\/t.co\/PkYl8QXscU\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/PkYl8QXscU<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/674668656077504512?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 9, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<ol>\n<li>\nUse up-to-date security solutions. For example, <a href=\"https:\/\/www.kaspersky.com\/advert\/multi-device-security?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> and <a href=\"https:\/\/www.kaspersky.com\/advert\/total-security-multi-device?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____ktsmd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Total Security<\/a> have built-in System Watcher module, which doesn\u2019t allow ransomware to encrypt data, thereby making users invulnerable to TeslaCrypt.<br>\n<a href=\"https:\/\/www.kaspersky.co.za\/blog\/why-bother-with-software-updates\/6863\/\" target=\"_blank\" rel=\"noopener\">\n<\/a><\/li>\n<li>\nAlways install software updates. Various bugs and vulnerabilities are often found in office software suites, browsers and Adobe Flash. Updates and patches, which \u201ctreat\u201d security holes are also released on the regular basis. Fresh updates increase your security by times.\n<\/li>\n<li>\nMake regular backups. For example, <a href=\"https:\/\/www.kaspersky.com\/advert\/total-security-multi-device?redef=1&amp;THRU&amp;reseller=gl_KDpost_pro_ona_smm__onl_b2c_kasperskydaily_lnk____ktsmd___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Total Security<\/a> can minimize efforts needed for that. Even if all security measures turn to be fruitless and your system is infected, you\u2019ll be able to clear the system with the help of the antivirus and restore files from backups.\n<\/li>\n<\/ol>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Kaspersky Total Security Review: Full-featured <a href=\"https:\/\/twitter.com\/hashtag\/parentalcontrol?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#parentalcontrol<\/a>, <a href=\"https:\/\/twitter.com\/hashtag\/firewall?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#firewall<\/a>, and backup <a href=\"http:\/\/t.co\/B1RxogW5Lx\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/B1RxogW5Lx<\/a> via <a href=\"https:\/\/twitter.com\/PCMag?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@PCMag<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/563736501906059264?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 6, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>If you are a victim of ransomware, who is looking for the solution to the problem, we regret to say that there is no universal treatment. If you have a key, you can use the previously mentioned <a href=\"http:\/\/download.bleepingcomputer.com\/BloodDolly\/TeslaDecoder.zip\" target=\"_blank\" rel=\"noopener nofollow\">TeslaDecoder<\/a> or a <a href=\"http:\/\/blogs.cisco.com\/security\/talos\/teslacrypt\" target=\"_blank\" rel=\"noopener nofollow\">similar tool provided by Cisco<\/a>.<br>\nWithout a key it\u2019s almost impossible to do something. Nevertheless, we highly recommend that you <a href=\"https:\/\/www.kaspersky.co.za\/blog\/dont-pay-ransom\/10422\/\" target=\"_blank\" rel=\"noopener\">don\u2019t pay the ransom<\/a> if possible. If people do not pay, ransomware business will be unprofitable and cybercriminals will have less motivation to release the next season of ransomware series. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A renovated version of TeslaCrypt ransomware has recently affected numerous devices in Japan and Nordic countries. <\/p>\n","protected":false},"author":696,"featured_media":10862,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2670],"tags":[93,420,97,1106,723,268],"class_list":{"0":"post-10860","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-cybercriminals","10":"tag-ransomware","11":"tag-security-2","12":"tag-teslacrypt","13":"tag-trojans","14":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/teslacrypt-strikes-again\/10860\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/teslacrypt-strikes-again\/6418\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/teslacrypt-strikes-again\/6465\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/teslacrypt-strikes-again\/7374\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/teslacrypt-strikes-again\/7074\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/teslacrypt-strikes-again\/10230\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/teslacrypt-strikes-again\/10860\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/teslacrypt-strikes-again\/6595\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/teslacrypt-strikes-again\/9869\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/teslacrypt-strikes-again\/10230\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/teslacrypt-strikes-again\/10860\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.za\/blog\/tag\/cybercriminals\/","name":"cybercriminals"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/10860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/comments?post=10860"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/10860\/revisions"}],"predecessor-version":[{"id":26634,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/posts\/10860\/revisions\/26634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media\/10862"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/media?parent=10860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/categories?post=10860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.za\/blog\/wp-json\/wp\/v2\/tags?post=10860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}