March 23, 2015

New TeslaCrypt Ransomware Targets Gaming Files

Malware

There is new piece of ransomware out there going after the players of some 40 online games in an apparent attempt to target a somewhat younger crowd of computer users.

teslacrypt ransomware targets gamers

Ransomware is a type of malware the targets and encrypts the user-files on infected machines. Once the files are securely encrypted, the people controlling the malware demand payment for the private key that can decrypt the files. After a pre-ordained period of time, the attackers destroy the decryption key.

The malware was first reported by Bleeping Computer, a technical support and user education forum that is quickly establishing itself as a go-to source for information about encryptors and ransomware schemes. Bleeping Computer has dubbed the malware TelsaCrypt, while the security firm Bromium issued a separate and completely independent report on the threat, which they are characterizing as a new variant of CryptoLocker. Bleeping Computer credits Fabian Wosar of Emsisoft for first uncovering TeslaCrypt.

According to Bleeping Computer, TeslaCrypt is targeting files associated with games and platforms like RPG Maker, League of Legends, Call of Duty, Dragon Age, StarCraft, MineCraft, World of Warcraft, World of Tanks, and other popular online games as well. This is a departure from prior schemes that tend to target documents, pictures, videos and other standard files stored on user-machines. It is deploying AES encryption in order that gamers are not able to access their gaming-related files without the decryption key. That key, by the way, is going to set victims back $500 if they choose to pay with Bitcoin and $1000 if they choose to pay via a PayPal My Cash card.

While Bleeping Computer led the way here, Bromium added to the story by determining how TeslaCrypt is being distributed. Not surprisingly, criminals are packaging the threat inside the Angler Exploit Kit. Exploit Kits are essentially software packages pre-made to compromise computer systems. They come loaded with exploits for common security vulnerabilities and, like the software-as-a-service industry, attackers can pay licensing fees in order to have access to them.

Exploit kits offer easy avenues for attackers to load malware on to the machines of their victims. For years, BlackHole was the premiere exploit kit. However, that kit fell out of favor after its author curbed development and was subsequently arrested in Russia. Over the year and a half or so since, Angler has emerged to fill that void, consistently integrating the newest zero days as well as the exploits for those vulnerabilities.

After infection, the malware changes the background of their computer to a notification that the user’s files have been encrypted. The message contains instructions on how and where users need to go to buy the private key to decrypt their files. Part of the process involves downloading the Tor Browser Bundle. Interestingly, there is a hidden services site where infected users can receive technical support from the malware authors on how to make a payment and then decrypt their files. The warning also contains a deadline, after which point the private key will be destroyed and the files will be impossible to recover.

The best defense against this and similar ransomware schemes is to regularly perform backups

The warning is very similar to that of the infamous CryptoLocker ransomware, which may in fact be why Bromium considers the two pieces of malware to be related to one another. As Bromium notes, the technical similarities between the two are negligible, but they believe TeslaCrypt is leveraging CryptoLocker’s brand.

As always, we at the Kaspersky Daily cannot in good conscience advise anyone to pay for the private key. To do so would be to encourage this type of scam. The best defense against this and similar ransomware schemes is to regularly perform backups. Another option is to use a strong anti-virus product. For example, Kaspersky Internet Security as well as Kaspersky Total Security is equipped with special feature called System Watcher designed to protect from cryptoware.

Of course, you also need to be installing operating system, software, application and browser updates. The vast majority of exploit kits target known and patched security vulnerabilities.

We’ve said it before and we’ll say it again: crypto ransomware is here to stay and it’s bad news, so make sure you are dedicating some time to backing your machines up. Furthermore, as you can see through the deployment of technical support and branding, the people behind these schemes have an eye toward business and marketing. In other words, they are getting better at infecting users and convincing them to pay to get their files back. This reality exists in a world where we are connecting more and more things to the internet, which will only exacerbate the problem.