TeslaCrypt: New versions and delivery methods, no decryption tool

New WAF attack timelines show the start and end of a threat.
No more logs. See how →

TeslaCrypt ransomware was first spotted and analyzed in early 2015, and soon enough researchers created a decryption tool for it.

The malware has since reached versions 4.0 and 4.1 but, unfortunately, there is currently no way to decrypt the encrypted files except by paying the ransom and receiving the key.

One of the latest changes to the malware is that it no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat for what it is (ID Ransomware should help with that).

Another big change is that TeslaCrypt is no longer delivered only via exploit kits, but also via spam emails.

TeslaCrypt

Endgame researchers spotted the latest of these spam campaigns: emails supposedly containing proof of a successful delivery of a package. Unfortunately, the attached ZIP files instead contain a JavaScript file that is a downloader that uses the local environment’s Windows Script Host or wscript to download the payload (i.e. TeslaCrypt).

TeslaCrypt infection process

The use of malicious JavaScript attachments is the malware peddler’s latest trick to get users to infect their computers.

Once the attachment is unzipped and run, the infection process follows these steps:

TeslaCrypt

“During the encrypting, [the malware] generates the public key based on the encrypted private key. The implant begins encrypting all accessible files [with the targeted extensions].Finally, it displays the ransom note in three forms: text, image, and web page. The binary will then notify the C2 server of the presence of a new victim,” Endgame researchers explain.

Unfortunately, the malware initially went undetected by most AV solutions.

“TeslaCrypt 4.1A is indicative of the broader trend we’re seeing in ransomware. While the targeted, high-value targets dominate the press, ransomware is increasingly opportunistic as opposed to targeted. These randomized spam campaigns rely on infiltrating a very small percentage of targets, but are still extremely lucrative given their widespread dispersion,” the researchers pointed out.

“In addition, the shortened time-frame between variants also reflects the trends in ransomware over the last 6-12 months. The speed to update between variants is shrinking, while the sophistication is increasing. This makes reverse engineering the malware more onerous, including the use of deception techniques such as misleading researchers that RSA-4096 encryption is used when in reality it was AES-256. In short, not only does the spam campaign attempt to deceive potential targets, but TeslaCrypt 4.1A also aims to mislead and stay ahead of researchers attempting to reverse engineer it.”

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.