Teslacrypt Joins Ransomware Field

By on Mar 17, 2015

A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.

1

Upon execution, this malware copies itself to the AppData\Roaming\ folder.

  • C:\Users\Administrator\AppData\Roaming\iylipul.exe
  • C:\Users\Administrator\AppData\Roaming\key.dat
  • C:\Users\Administrator\AppData\Roaming\log.html

Teslacrypt is compiled with C++. After executing, victims see the following window:

2

 

The malware asks victims to follow certain steps to obtain the private key from the server to decrypt the encrypted files.

Teslacrypt uses the following icons to confuses users into thinking that this threat is the same as CryptoLocker. Earlier the malware’s icon was called Teslacrypt, but now it is called CryptoLocker.

  • Windows XP

4

  • Windows 7

Capture

 

The malware’s parent file creates another process and also starts a thread that performs other malicious activities on the system after resuming the thread. The name of the thread is the same as of the parent file. This variant also uses debugging functions to check the context of the thread.

5

In the preceding screenshot “GetThreadContext” and “SetThreadContext” are the debugging functions that check the context of the thread.

After creating the thread, the malware terminates the following running processes:

  • ProcessExplorer
  • Cmd.exe
  • Regedit.exe
  • taskmgr
  • msconfig

The malware then tries to delete shadow copies of the system through vssadmin.exe, so that the victim cannot return to previous system restore points. Also it targets the Zone.Identifier NTFS stream to delete the downloaded-files history from the system.

vss_2

We found the following strings in memory; these are the targeted file extensions that the malware will encrypt.

6

 

Some of the affected games and gaming software:

  • Bethesda Softworks settings file
  • F.E.A.R. 2 game
  • Steam NCF Valve Pak
  • Call of Duty
  • EA Sports
  • Unreal 3
  • Unity scene
  • Assassin’s Creed game
  • Skyrim animation
  • Bioshock 2
  • Leagues of Legends
  • DAYZ profile file
  • RPG Maker VX RGSS
  • World of Tanks battle
  • Minecraft mod
  • Unreal Engine 3 game file
  • Starcraft saved game
  • S.T.A.L.K.E.R. game file
  • Dragon Age Origins game

The malware sends the victims’ information to its control server:

8_

It also stores information about the encrypted files in HTML format for later use.

11

We have seen the following network activity for this ransomware:

17

The following table describes the commands sent to the control server:

12

The encryption of this ransomware has not yet been cracked. The only apparent way to recover the files is to pay the ransom. (However, not all ransomware attackers decrypt files, even after receiving payment.) The attackers also offer “free” decryption, which is a fake offer.

13

14

The attacker demands a payment of either BTC1.5, or US$1,000 if victims use PayPal. The attacker prefers Bitcoins because they are harder to trace; thus payment by Bitcoin is cheaper than by PayPal.

McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this threat as Ransom-Tescrypt! and Ransom-FXX!

I would like to thank my colleague Lenart Brave, who helped research this malware.

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

  1. I've been assisting a friend hit by this and all I can confirm so far is that AES-256 is used. I uploaded an arbitrary encrypted file from his computer (was not present in the log.html file which only contained a tiny fraction of the actual encrypted files) to the "free decryption" test service online and it was able to return the original document.

    He's considering paying since he has no backups but we have not yet. The analysis posted at http://labs.bromium.com/2015/03/12/achievement-locked-new-crypto-ransomware-pwns-video-gamers/ is also helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs