It’s hard to think of a nastier computer infection than one which makes a user’s personal information inaccessible and, even worse, extorts money in exchange for returning the data. Malware species that exhibits the above characteristics has got a generic name – ransomware. The term has become an IT security buzzword as these viruses appear to have approached their peak within the past year. The latest sample called TeslaCrypt, which surfaced mid-March, is both commonplace and fairly unique at the same time.
The operational formula leveraged in this hoax includes exploit-based computer contamination, scanning of the affected machine for specific file types, encrypting the detected ones and asking for ransom payment. This seems like a pretty standard workflow followed in other similar campaigns, for instance the CryptoLocker and Cryptowall frauds. What makes TeslaCrypt deviate from the “norm” is the files that it hits: the targeted information is related to the victim’s gaming activities. More specifically, the ransomware is programmed to scan for files that correlate with saved online games and Steam activation keys. The attack surface, therefore, is smaller than it usually is in these sorts of scenarios, but the impact is probably just as global because one’s gaming history and associated data are typically a derivative of big effort and a lot of time.
In its distribution, TeslaCrypt relies on the exploit kit called Angler, though the campaign is reportedly beginning to further evolve and take advantage of the Sweet Orange and Nuclear kits. Users get infected after a Flash exploit on a random compromised website redirects their browser to the web page hosting the exploit kit. Having entered the computer, the virus deploys some tampering actions by preventing the user from accessing such OS-native tools as Registry Editor, Task Manager, System Configuration interface, command-line utility, etc. It scans the hard drive for game-specific file extensions and, when found, encrypts them with symmetric AES-256 standard.
The program then changes the desktop wallpaper to a message stating that the user’s personal files are encrypted and demanding a ransom of 1.5 BTC, or about $400, to be submitted within 96 hours otherwise the data will be irrecoverable. The victim is provided with a unique Bitcoin address, and further transactions are to be performed using Tor connection, which makes the interaction anonymous and hard to track.
One of the problems with recovering the encrypted information is that TeslaCrypt removes these files’ Shadow Volume Copies – the principal instrument in most of the available ransomware workarounds out there. Luckily, experts at Cisco recently came up with a decryption tool that can be used in this case, but its efficiency depends on a number of factors, including the presence of a file named “key.dat”. At the end of the day, users are strongly recommended to keep their operating system and third-party software patched on a regular basis so that vulnerabilities cannot be exploited to turn the system into a low-hanging fruit for attackers.