SECURITY EVANGELIST

Confirming the trends that security specialists have been announcing for 2016, a new version of Teslacrypt has just been launched.

The fourth iteration of the ransomware strain comes with new functionalities and enhanced stability. The group behind TeslaCrypt has also fixed various bugs, including one related to encryption of large data files.

Stronger encryption


Teslacrypt 4 features “RSA 4096” for encrypting data. Consequently, the encrypted data will be impossile to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.

It’s important to know that the tool ‘TeslaDecoder‘ no longer works with Teslacrypt 4.0. Unfortunately, this is one of the many fixes that the cyber criminals have included in the new version.

Until now, files larger than 4 GB would get permanently damaged when encrypted. As another improvement, this is no longer an obstacle for the attackers.

In the case of data compromise, only two options remain: to restore the data from a secure backup or to pay the ransom (which we don’t recommend).

The new version of the ransomware can be recognized by the following IoCs (Indicators of Compromise):

%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt

Moreover, TeslaCrypt 4 creates the following value in the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe

More data leaked to cyber criminal servers



Once the malicious code is run, the attackers can extract even more data than before from the local machine. The harvested data is then compiled into a unique key, while, at the same time, the ransomware will recruit the affected PC into a central botnet.

simple ransomware infection chain

The collected data includes: “MachineGuid” (a unique identifier pertaining to every PC), “DigitalProductID” (the Windows operating system key) and “SystemBiosDate” (the current time of the affected PC).

The current list of Teslacrypt 4 Control & Command servers is the folowing:

http://commonsenseprotection[.]com/phsys.php
http://ebookstoreforyou[.]com/phsys.php
http://esbook[.]com/phsys.php
http://exaltation[.]info/plugins/phsys.php
http://hmgame[.]net/phsys.php
http://shampooherbal[.]com/phsys.php

Similarly to previous campaign, TeslaCrypt 4 is being dispersed through drive-by attacks carried out using the Angler exloit kit infrastructure. Over 600 domains spreading Angler have been blocked today and the daily average is predicted to increase to up 1200 domains per day, on average.

A sample of dedicated Angler exploit kit domains can be found below:

me6wy.vg8xjw9ciy[.]top
mwcvd.t9j0avslcl[.]top
o2xf8s6.bhg36v[.]top
olb4cw.o80ba[.]top
sr1f.kauczjdu[.]pw
tmwtsr.o80ba[.]top
ws0bt.aojpxt8[.]top
xq1d.fxor8jqq[.]top
fqd8dmk.wvzgla[.]top
gowp.d2sksr5r[.]pw
haa.pfadnwob6f[.]top
hbcg9.p7laqcz1qn[.]top
hpbr.wrilw1o6[.]top
hz3.u26b07q22[.]pw
irp7.db3e8a[.]pw
l1p88.t44sou90[.]pw
lv6.coitfi50d[.]top
mhd3rw2.orrrifi[.]top
mi1z.db3e8a[.]pw

Later Edit [March 21 2016]: Antivirus detection rates remain very low: only 4/67 solutions detect one of the Angler domains to be infected (and the same rate applies to all domains, on average).

virustotal detection rate

Independent research posted on BleepingComputer indicates the same characteristics for TeslaCrypt 4.0 as presented above.


Conclusion



TeslaCrypt evolved from a ransomware targeting gamers to a threat that is now aimind for both companies and home users alike, regardless of their passions. This fourth version is not only a more severe threat, but also one that is capable of far wider data leakage.

The first version of TeslaCrypt emerged in March 2015, while the creators launched the second version in November 2015. Since then, TeslaCrypt creators moved even faster: they launched TeslaCrypt 3.0 in January 2016, and now, only 3 months later, the fourth version is out.

We can expect cyber attackers to iterate even faster, in order to block decryptors that can appear on the market and secure a constant revenue stream to fund their attacks.

* This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

Ransomware-Decryption-Tools
2016.10.05 QUICK READ

Ransomware Decryption Tools – Unlock Your Data for Free

TeslaCrypt Infections spam
2015.12.11 INTERMEDIATE READ

Security Alert: TeslaCrypt Infections Rise as Spam Campaign Hits Companies in Europe

Comments

Having read this I believed it was extremely enlightening.

I appreciate you spending some time and effort to
put this short article together. I once again find myself spending a significant amount of time both reading and leaving comments.
But so what, it was still worth it!

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
168 queries in 0.983 seconds