One of the latest changes to the malware is that it no longer uses an extension for encrypted files, making it more difficult for victims to identify the threat for what it is (ID Ransomware should help with that).
TeslaCrypt infection process
Once the attachment is unzipped and run, the infection process follows these steps:
“During the encrypting, [the malware] generates the public key based on the encrypted private key. The implant begins encrypting all accessible files [with the targeted extensions].Finally, it displays the ransom note in three forms: text, image, and web page. The binary will then notify the C2 server of the presence of a new victim,” Endgame researchers explain.
Unfortunately, the malware initially went undetected by most AV solutions.
“TeslaCrypt 4.1A is indicative of the broader trend we’re seeing in ransomware. While the targeted, high-value targets dominate the press, ransomware is increasingly opportunistic as opposed to targeted. These randomized spam campaigns rely on infiltrating a very small percentage of targets, but are still extremely lucrative given their widespread dispersion,” the researchers pointed out.
“In addition, the shortened time-frame between variants also reflects the trends in ransomware over the last 6-12 months. The speed to update between variants is shrinking, while the sophistication is increasing. This makes reverse engineering the malware more onerous, including the use of deception techniques such as misleading researchers that RSA-4096 encryption is used when in reality it was AES-256. In short, not only does the spam campaign attempt to deceive potential targets, but TeslaCrypt 4.1A also aims to mislead and stay ahead of researchers attempting to reverse engineer it.”