Security Alert: TeslaCrypt Infections Rise, Hit European Companies
Tricking users with spam emails still works. Here’s what to do about this threat
In the past few days our team has seen a considerable increase in TeslaCrypt infections, a file-encrypting ransomware discovered in early 2015.
The group behind TeslaCrypt focused on individual users at first, but in this campaign the targets are mainly companies in Northern Europe. “The most affected countries include USA, Germany, UK, France, Italy, and Spain,” as parallel research from Kaspersky shows, so there’s no way to tell which country the attackers will hit next.
And there’s a new twist to this boost in TeslaCrypt infections: the encrypting ransomware is distributed through a very strong spam campaign.
We’re sharing all the findings below, including infection vectors, a selection of Command & Control servers, ransomware infection flow and more.
What is TeslaCrypt?
TeslaCrypt is a ransomware Trojan, which was first designed to target computers that has specific computer games installed. However, in the past months, this strain of cryptoware had broadened its reach.
If your computer gets infected, TeslCrypt will encrypt all of your files and lock you out of your system. It will also ask for ransom, which can vary between $150 and $1000 worth of bitcoins, to give you the decryption key. And the damage this ransomware type can do is very real:
We tracked the victims’ payments to the cybercriminals—available because the group used bitcoin—and determined that between February and April 2015, the perpetrators extorted $76,522 from 163 victims. This amount may seem trivial compared to millions made annually on other cyber crimes, or the estimated $3 million the perpetrators of CryptoLocker were able to make during nine months in 2013-14. However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims.
When it comes to form and function, TeslaCrypt resembles Cryptolocker2, but that’s where similarities end. TeslaCrypt was developed independently and analyses carried out this year prove it. For example, Cryptolocker2 is capable of harvesting e-mail addresses, as we’ve seen in a security alert issued in September, but TeslaCrypt doesn’t showcase such abilities (yet).
How does TeslaCrypt spread?
Earlier this year, analyses of the TeslaCrypt saw that the ransomware frequently used the Angler exploit kit as a distribution vector. By using Angler’s sophisticated techniques to avoid antivirus detection, TeslaCrypt could achieve a high infection rate for the targeted computers.
TeslaCrypt also used Angler’s distribution channels, such as infected websites or malvertising campaigns. This time, cyber criminals have decided to diversify their infection vector portfolio.
We’ve seen TeslaCrypt being spread via spam emails that contain malicious zip attachments. Inside the zip gile, there is a .js file which, when unzipped, retrieves TeslaCrypt from several compromised web pages.
The unwanted email is delivered appears to come from a company that demands it be paid for an overdue invoice:
http://artskorat [.] com / html / images / 69.exe? 1
http://adopteuncompagnon [.] com / 69.exe? 1
http://aycenergy [.] com / wp / wp-includes / fonts / 69.exe? 1
http://46.151.52 [.] 197 / 69.exe? 1
Here is also a selection of Control & Command servers used to deliver the TeslaCrypt infection:
http://kochstudiomaashof [.] The / media / misc.php
http://testadiseno [.] Com / img / gal / thumb / misc.php
http://diskeeper-asia [.] Com / tmp / misc.php
http://gjesdalbrass [.] No / media / misc.php
http://garrityasphalt [.] Com / media / misc.php
http://grassitup [.] Com / media / misc.php
During the next stage, a private key is used to encrypt all the data stored locally on the machine. TeslaCrypt will also infect any files on computers connected in the same network, using an AES-256-CBC algorithm “session_priv” as the key.
The code is written in C ++ and, as we know from other TeslaCrypt infections, will search for and encrypt any and all files with the following extensions:
.r3d .css .fsh .lvl .p12 .rim .vcf.3fr .csv .gdb .m2 .p7b. rofl .vdf .7z .d3dbsp .gho type.m3u .p7c .rtf .vfs0 .accdb .das .hkdb .m4a .pak .rw2 .vpk .ai .dazip .hkx .map .pdd .rwl .vpp_pc .apk .db0. hplg .mcmeta .pdf .SAV .vtf .arch00 .dba .hvpl .mdb .pef .sb .w3x .arw .dbf .ibank .mdbackup .pem .sid .wb2 .asset .dcr .icxs .mddata .pfx .sidd. wma .avi .there .indd .mdf .pkpass .sidn .wmo .bar .desc .itdb .mef .png .sie .wmv .bay .dmp .itl .menu .ppt .sis .wotreplay .bc6 .dng .itm. MLX .pptm .slm .wpd .bc7 .doc .IWD .mov .pptx .snx .wps .big .docm .iwi .mp4 .psd .sql .x3f .bik .docx .jpe .mpqge .psk .sr2 .xf. bkf .dwg .jpeg .mrwref .pst .srf .xlk .bkp .dxg .jpg .ncf .ptx .srw .xls .blob .epk .js .nrw .py .sum .xlsb .bsa .eps .kdb .ntl. QDF .svg .xlsm .cas .erf .kdc .odb .qic .syncdb .xlsx .cdr .esm .kf .odc .raf .t12 .xxx .cer .ff .layout .odm .rar .t13 .zip .cfr. flv .lbf .odp .raw .tax .ztmp .cr2 .forge .litemod .ods .rb .tor .crt .fos .lrf .odt .re4 .txt .crw .fpk .ltx .orf .rgss3a .upk.
All the files are renamed and added the .vvv or .zzz extension, and they’re also added a “blob” in the header.
The ransomware payload deletes the local shadow copy. Next, the following files are copied to all directories:
how_recover + mln.html
These files include the instructions on how to pay the ransom via bitcoins, so the victims can regain access to their now encrypted data.
In this campaign, the ransom paid with bitcoins via TOR includes connecting to the following links:
https://o7zeip6us33igmgw [.] onion.to
http://vrd463xcepsd12cd [.] crsoftware745.com
http://vr6g2curb2kcidou [.] expay34.com
http://tsbfdsv.extr6mchf [.] com / 4CD6FA41D7BD8DA3
Antivirus detection is very low for this campaign: only 3 out of 55 products listed in VirusTotal currently detect this TeslaCrypt strain.
For the full detection list on VirusTotal at the time this security alert was released, please follow this link.
Should I pay the ransom if I get infected with TeslaCrypt?
It’s really up to each and every one to make this decision, but we recommend you don’t pay the ransom. There’s no guarantee that you’ll receive the decryption key and, even if you do, there’s a chance that the files will be affected because of a fault in the encryption system.
You may find certain decryption tools online, but you’re at risk at damaging your data for good if you use them. No one can offer any guarantees that you can decrypt your data safely and that it will still be usable once you’re done with this process.
What should I do to keep TeslaCrypt out of my system?
A few simple steps and security measures can help keep your system protected against ransomware like TeslaCrypt, CryptoWall or others. Let’s go through them right now:
1. Don’t keep important data on the local drive. Always back-up your data somewhere that is not directly connected to the local system, like in the cloud and on an external drive. You can use this guide to find out more about various back-up options for your system.
2. Do not download or open .zip attachments in spam or in emails from unknown senders. This is a rule of thumb. Learn to identify spam emails, mark them as spam and delete them without opening them. Spam is one of the favorite ways that cyber criminals infiltrate your system and you should read this to block their malicious attempts.
3. Don’t click links in spam emails. These links can redirect you to infected domains which host TeslaCrypt of other types of encrypting ransomware.
4. Keep your operating system and your software up-to-date. Always! Updates help you reduce the security holes in your system by as much as 85%! (Source.)
5. Use a reliable antivirus product which has a real-time scanner. While you have seen that traditional antivirus products are not your first line of defense against ransomware, you still need them.
6. Because most antivirus products do not detect the latest ransomware variants, enhance your security by using a specialized tool against ransomware attacks.
7. Increase your online protection level by adjusting your web browser security settings to protect your privacy and enhance your security.
9. If you receive suspicious e-mails that contain links or attachments from unknown senders on your work computer, contact the IT department immediately, so they can contain the infection and keep it from spreading.
If you’re a company and you’re reading this, the same principles apply to your workstations. Cryptoware is a huge threat and can cause serious business disruptions and data loss.
The evolution of ransomware is a reality and its effects are strong and concern us all, either as individual Internet users or as employees in companies around the world.
We need to be prepared to handle this, and we can’t do that without education. Reading about these threats help us get savvier and less vulnerable to cyber criminal tactics. But practicing what we preach is crucial, since online protection is our individual responsibility.