Cyber-criminals refine TeslaCrypt ransomware with changes to encryption

Ransomware conceals identity as demands grow to £320 to release user data

Cyber-criminals refine TeslaCrypt ransomware with changes to encryption
Cyber-criminals refine TeslaCrypt ransomware with changes to encryption

Security researcher have warned that a new version of the TeslaCrypt ransomware has been updated to add more features, including an enhanced encryption scheme as well as bringing it more in line with the look and feel of CryptoWall.

TeslaCrypt is a variant of CryptoLocker and has broadened its scope to target gamers as well as other internet users.

According to research from Kaspersky, the malware has ditched the user interface to show that files have been encrypted, rather it directs users to a web page, copied from CryptoWall, that warns users instead that files have been locked.

On a blog post, Fedor Sinitsyn of Kaspersky Lab said that he could only guess as to why the criminals pretended the malware was Cryptowall.

“Perhaps the attackers wanted to impress the gravity of the situation on their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt infections,” he said.

More ominous is the improved encryption process. TeslaCrypt encrypts user files on the local machine, then demands payment. While security firms have made strides in decrypting the data that these types of malware lock up, the change to encryption may make this more difficult in future.

“The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm. The cyber-criminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key' alone,” said Sinitsyn.

He added that each file is encrypted using the AES-256-CBC algorithm with session_priv as a key. “An encrypted file gets an additional extension, ‘.zzz'. A service structure is added to the beginning of the file, followed by encrypted file contents,” he said.

Also gone from the updated version is the decryption process within the malware that researchers could exploit to recover information.

According to David Kennerley, senior manager for Threat Research at Webroot, while gamers were the initial focus of attacks, other users should be on their guard.

“This new build is a nightmare for everyone, including organisations – this ransomware doesn't differentiate,” he told SC MagazineUK.com.

He warned that the malware delivered on its threats.

“TeslaCrypt 2.0 - with its encryption scheme improvements - works – it's as simple as that.  If infected with TeslaCrypt 2.0 you have two choices, pay the bitcoin ransom payment or restore from backup. It looks to encrypt hundreds of different file types, from excel docs to game mods. It can even encrypt network shares, so the mitigation technique of organisations protecting network shares isn't feasible,” he added.

Kerry Davies, CEO of Abatis, told SC that depending on the way the ransomware discriminates whether to attack or not, “it could start background encryption as soon as it lands on any machine.”

“In the worst case the infection may be undiscovered for some time and could potentially be backed up - thereby reducing the possibility of recovering from infection by going to the backups.  In large corporates the potential for an insidious and large scale infection are significant if the infection makes it onto a shared drive,” he said.

Rafe Pilling, security researcher at Dell SecureWorks, told SCMagazineUK.com  that while gamers have been talked about the most as victims of the malware, what the criminals are really targeting are valuable digital assets that people will pay to get back.

“It happens that online gamers place a great deal of value on their gaming achievements and so make a good target set.  Clearly the criminals are thinking about how to make the best return on their investment.  Teslacrypt also targets a wide range of common file types commonly used in the Enterprise environment.  We have observed Teslacrypt infections across a range of client verticals.  Any organisation could potentially be at risk,” he said.

Chris Boyd, malware intelligence analyst at Malwarebytes told SC that with TeslaCrypt being so new, it will take time to find potential flaws in the coding and devise ways to recover files without paying the ransom.

“Organisations and individuals should take care to have a rigorous backup routine on drives which are kept offline, with non-sensitive data being kept in the cloud as a secondary backup. Unfortunately, we tend to decide backing up is a great idea only once everything has already been lost - we need to start doing it the other way round,” he added.