December 15, 2015

TeslaCrypt: Round Three

Security Threats

Malware development and our attempts to fight it sometimes remind us of a deep TV series: one can trace how “characters” acquire new skills, overcome hardships and make new achievements. It seems that now the third season of the TeslaCrypt series is released.
TeslaCrypt: Round Three

TeslaCrypt is first discussed in February 2015, when this Trojan compromised PCs of certain groups of gamers encrypting their files. It asked for about $500 for bringing data back to the owners.
The newly-released Trojan was created on the base of another dangerous ransomware called CryptoLocker. Back then criminals used a relatively weak encryption algorithm, which could be hacked. The Trojan stored decryption keys in a separate file on the victim’s hard drive, so one could find them without effort. In the end users of BleepingComputer forum created TeslaDecoder software, which helped victims decrypt their files without any ransom.

It would be wonderful, if the first season would flop and thereby the series would come to the end. But cybercriminals expanded it and released TeslaCrypt 2.0 — an updated and upgraded version, which was detected by Kaspersky Lab in July, 2015. This version uses a significantly improved encryption scheme, which is still impossible to hack. Moreover, the updated malware doesn’t store keys in a separate file — it uses the system registry instead.

Victims who have found keys somehow can still use the TeslaDecoder to bring their files back. But without a key this useful software turns to be absolutely helpless.
Recently, a new <s>season</s> epidemic took place. TeslaCrypt 2.2.0 entered – stage left. Currently, a malicious mailing campaign is in full effect: users all over the world receive fake payment notifications. Deceived people install Angler exploit kit, which downloads the new version of TeslaCrypt. A lot of corporate users fall for these fake emails, as it’s quite a common thing for almost any employee to forget about one of thousands invoices.

Besides, cybercriminals launched a wide-scale campaign to infect WordPress websites, including the blog for the UK’s newspaper, The Independent. Angler was once again to blame for this incident. The exploit downloaded either TeslaCrypt or another Trojan called BEDEP, which in turn downloaded the infamous CryptoLocker.
According to Trend Micro, the blog was infected on November 21. Employees solved the problem and recently (December 9) redirected users to the main page of the newspaper.
Representatives of The Independent stated, that only a few visited infected page as it was very old and that there were no signs that anybody could have been infected from the the Trojan on their site. With that said, the total number of users, who were directed to the page with the Trojan hit 4,000+ per day. If visitors did not have fresh Adobe Flash updates, Angler could have used the vulnerability and infected their systems.

This time cyber criminals have changed their aim, and targeted companies, not home users. According to Heimdal Security, new ransomware terrorizes European corporations. We’ve also tracked a huge splash of activity in Japan. It’s also impossible to tell which country will be the next victim.
If you want to protect yourself from ransomware or at least decrease the potential harm, we highly recommend you to follow these tips.

  1. Use up-to-date security solutions. For example, Kaspersky Internet Security and Kaspersky Total Security have built-in System Watcher module, which doesn’t allow ransomware to encrypt data, thereby making users invulnerable to TeslaCrypt.
  2. Always install software updates. Various bugs and vulnerabilities are often found in office software suites, browsers and Adobe Flash. Updates and patches, which “treat” security holes are also released on the regular basis. Fresh updates increase your security by times.
  3. Make regular backups. For example, Kaspersky Total Security can minimize efforts needed for that. Even if all security measures turn to be fruitless and your system is infected, you’ll be able to clear the system with the help of the antivirus and restore files from backups.

If you are a victim of ransomware, who is looking for the solution to the problem, we regret to say that there is no universal treatment. If you have a key, you can use the previously mentioned TeslaDecoder or a similar tool provided by Cisco.
Without a key it’s almost impossible to do something. Nevertheless, we highly recommend that you don’t pay the ransom if possible. If people do not pay, ransomware business will be unprofitable and cybercriminals will have less motivation to release the next season of ransomware series.