Security Alert: TeslaCrypt 4.0 – Unbreakable Encryption and Worse Data Leakage
Each new variant brings improvements and makes this ransomware family more difficult to detect
Confirming the trends that security specialists have been announcing for 2016, a new version of Teslacrypt has just been launched.
The fourth iteration of the ransomware strain comes with new functionalities and enhanced stability. The group behind TeslaCrypt has also fixed various bugs, including one related to encryption of large data files.
Teslacrypt 4 features “RSA 4096” for encrypting data. Consequently, the encrypted data will be impossile to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.
It’s important to know that the tool ‘TeslaDecoder‘ no longer works with Teslacrypt 4.0. Unfortunately, this is one of the many fixes that the cyber criminals have included in the new version.
Until now, files larger than 4 GB would get permanently damaged when encrypted. As another improvement, this is no longer an obstacle for the attackers.
In the case of data compromise, only two options remain: to restore the data from a secure backup or to pay the ransom (which we don’t recommend).
The new version of the ransomware can be recognized by the following IoCs (Indicators of Compromise):
%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt
Moreover, TeslaCrypt 4 creates the following value in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe
More data leaked to cyber criminal servers
Once the malicious code is run, the attackers can extract even more data than before from the local machine. The harvested data is then compiled into a unique key, while, at the same time, the ransomware will recruit the affected PC into a central botnet.
The collected data includes: “MachineGuid” (a unique identifier pertaining to every PC), “DigitalProductID” (the Windows operating system key) and “SystemBiosDate” (the current time of the affected PC).
The current list of Teslacrypt 4 Control & Command servers is the folowing:
Similarly to previous campaign, TeslaCrypt 4 is being dispersed through drive-by attacks carried out using the Angler exloit kit infrastructure. Over 600 domains spreading Angler have been blocked today and the daily average is predicted to increase to up 1200 domains per day, on average.
A sample of dedicated Angler exploit kit domains can be found below:
Later Edit [March 21 2016]: Antivirus detection rates remain very low: only 4/67 solutions detect one of the Angler domains to be infected (and the same rate applies to all domains, on average).
Independent research posted on BleepingComputer indicates the same characteristics for TeslaCrypt 4.0 as presented above.
TeslaCrypt evolved from a ransomware targeting gamers to a threat that is now aimind for both companies and home users alike, regardless of their passions. This fourth version is not only a more severe threat, but also one that is capable of far wider data leakage.
The first version of TeslaCrypt emerged in March 2015, while the creators launched the second version in November 2015. Since then, TeslaCrypt creators moved even faster: they launched TeslaCrypt 3.0 in January 2016, and now, only 3 months later, the fourth version is out.
We can expect cyber attackers to iterate even faster, in order to block decryptors that can appear on the market and secure a constant revenue stream to fund their attacks.
* This article features cyber intelligence provided by CSIS Security Group researchers.