TeslaCrypt 2.0 Conceals its Identity to Demand a $500 Ransom
Kaspersky Lab has detected curious behaviour in a new threat from the TeslaCrypt ransomware encryptor family. version 2.0 of the Trojan notorious, for infecting computer gamers, displays an HTML page in the web browser which is an exact copy of CryptoWall 3.0, another notorious ransomware program. After a successful infection, the malicious program demands a $500 ransom for the decryption key, which doubles with the delay.
Most TeslaCrypt infections occur in the USA, Germany, Spain, Italy, France and United Kingdom. Early samples of TeslaCrypt were detected in February 2015. It tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said TeslaCrypt does not encrypt files that are larger than 268 MB.
When a new victim is infected, TeslaCrypt generates a new unique Bitcoin address to receive the victim’s ransom payment and a secret key to withdraw it. C&C servers are located in the Tor network. Version 2.0 uses two sets of keys: one is unique within one infected system, the other is generated repeatedly each time the malicious program is re-launched in the system.
Programs from TeslaCrypt malware the propagation mechanism, the victim visits an infected web site and the exploit’s malicious code uses browser vulnerabilities, most typically in plug-ins, to install the dedicated malware on the target computer.
According to Altaf Halde, Managing Director – South Asia, Kaspersky Lab, “Ransomware malware is a digital mechanism for extortion. It blocks access to a computer system until a ransom is paid or to user or company data or both. CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker are examples of ransomware. A ransomware attack is typically delivered via an email that includes an attachment that could be an executable file, an archive or an image. Once the attachment is opened, the malware is deployed on the user’s system. A key motivation for cybercriminals executing a ransomware attack is to extort money from victims.”
Users can protection themselves by creating backup copies of all important files on a regular basis and keep them on media that are physically disconnected immediately after the backup copying is completed. The software must be update in a timely fashion.
Kaspersky Lab’s products detect this malicious program as Trojan-Ransom.Win32.Bitman.tk and successfully protect users against this threat. This registers activity when suspicious applications attempt to open a user’s personal files and immediately makes local protected backup copies of them. If the application is then judged to be malicious, it automatically roll backs unsolicited changes by replacing those files with copies. In this way, users are protected from yet unknown cryptomalware
