“While this may look identical to TeslaCrypt it does have some improvements like deleting the VSS to make sure you arent saved by your shadow volume,” Webroot researchers shared. It also makes sure to execute the process quietly (i.e. that no messages are shown to the victim.
The criminals are asking for the ransom to be paid in Bitcoin, which ensures anonymity and easy laundering of the money via Bitcoin mixers.
“The volatitlity of this variant is quite high since it creates new instances of common windows processes to do the encryption routine to try and be as covert as possible and is extremely similar to how Cryptowall 3.0 operates,” the researchers noted.
Brad Duncan, a security researcher at Rackspace, has also been analyzing the malware, and says that it currently being delivered via the Angler exploit kit.
Both the Flash exploit and the actual malware payload had an extremely low detection rate (2/57 and 5/57, respectively) on VirusTotal, but the detection rate has improved in the last few days.”