TeslaCrypt ransomware hackers caught using Angler EK and Tor

News by Rene Millman

Angler exploit kit use in TeslaCrypt ransomware signals new trend in blackmailing malware

Hackers are distributing the TeslaCrypt ransomware using the Angler exploit kit and Tor network in a new bid to hold organisations to ransom for thousands of dollars.

According to a security advisory by the Dell SecureWorks Counter Threat Unit (CTU), the team of researchers unearthed the sting in early February this year.

“Dell SecureWorks CTU researchers investigated a new file-encrypting ransomware family named TeslaCrypt which was distributed by the popular Angler browser exploit kit," the fimr said.

TeslaCrypt is used by criminals to blackmail victims by encrypting files and locking people out of their machines. It targets file formats from productivity suites such as Open Office and Microsoft Office, as well as formats associated with video games and creative applications, according to the research unit.

"After encrypting popular file types with the AES-256 encryption algorithm, TeslaCrypt holds the files for a ransom of US$ 250 to US$ 1,000,” it added.

What makes the ploy worse is the use of the Angler exploit kit as this uses advanced infection techniques.

"It uses a memory-resident, file-less mechanism called Bedep that minimises the observable footprint of an infection. Bedep can download additional malware payloads and initiate advertising click-fraud activity," according to the advisory.

Dell SecureWorks said that it has exploited several Adobe Flash Player zero-day vulnerabilities in early 2015. “Exploit kits distributing commodity-style malware rarely exploit zero-day vulnerabilities,” it added.

It said that like malware families such as the Chanitor downloader, TeslaCrypt hosts its command and control (C2) infrastructure on the Tor anonymity network.  The TeslaCrypt C2 servers and ransom payment server reside within the Tor network as hidden services

Compromised systems communicate with these hidden servers through publicly-available web-to-Tor gateways and also through proxy servers located on attacker-controlled assets.

Researcher said that they were unaware of additional malware families associated with the TeslaCrypt threat actors. 

“The group's infrastructure shows involvement in additional fraudulent activity, including theft of financial data and other credentials. TeslaCrypt does not contain credential theft or data exfiltration capabilities,” the report said.

Dell SecureWorks said that file-encrypting ransomware continues to be a growing trend in malicious software and while the Cisco Talos decryption tool allows many victims to recover files, users should block executable files, keep operating systems, browsers and browser plugins patched, and implement software restriction policies "to prevent programs like TeslaCrypt from executing in common directories such as %AppData%".

Paul McEvatt, lead security specialist and cyber consultant at Fujitsu told SCMagazineUK.com that ransomware is “definitely on the rise again”.

“One recent example of Alphacrypt we analysed was still only known by 16 of the Antivirus vendors on Virustotal on the 3rd day after infection which highlights why relying on traditional signature based platforms is no longer enough,” he said.

Ollie Whitehouse, technical director at security consultants NCC Group told SC in an email that malicious code defence in depth is key to reducing the likelihood of a ransomware attack. Beyond that, backups and disaster recovery plans are critical if these defences fail, enabling organisations to retrieve earlier unencrypted versions of their data and files.

“Paying these criminal groups only validates the business model. By paying the ransom it encourages others to enter the market and thus increases the likelihood that more businesses will fall victim. Of course, there is also no guarantee that this will result in their files being returned,” said Whitehouse.

Luke Potter, operations manager at risk and compliance firm SureCloud told SC that once a machine is infected it can spread quickly to network shares and mapped drives, leaving the organisation no choice but to restore from recent backups to retrieve ‘unencrypted' copies of their files.

“Reviewing network segregation and user access rights can help to limit the potential spread of an infection. Once an infection is detected, it's critical that any compromised machines are isolated/removed from the corporate network as soon as possible, and subsequently fully reimaged and re-deployed,” said Potter.

Kevin O'Reilly, senior consultant at Context Information Security told SC that the infection vector used here is an exploit kit which implies that a vulnerable browser is exploited on the target.

“Since these kits almost always use exploits that have been in the public domain and patched for some time, the obvious implication is that by keeping your browser and other software up to date (and using a more secure browser than Internet Explorer, perhaps Firefox or Chrome) you can protect yourself against such exploits and thus infection. This holds particularly for browser plugins, but should extend to the operating system too,” he added.

He said that since the ransomware will encrypt files as soon as it gets installed onto a target system, the defence at this stage can only be having a secure backup (i.e. inaccessible and unmodifiable by the malware) of all your data.

“It would be advisable to apply to principle of least privilege to access permissions on data stores such as network shares to minimise the impact of a network host being infected,” said O'Reilly.

Catalin Cosoi, chief security strategist at Bitdefender told SC that organisations “should educate employees in good computer practices, in identifying social engineering attempts and spear-phishing emails. These are some of the most common vectors of infection.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews