A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.
Upon execution, this malware copies itself to the AppDataRoaming folder.
- C:UsersAdministratorAppDataRoamingiylipul.exe
- C:UsersAdministratorAppDataRoamingkey.dat
- C:UsersAdministratorAppDataRoaminglog.html
Teslacrypt is compiled with C++. After executing, victims see the following window:
The malware asks victims to follow certain steps to obtain the private key from the server to decrypt the encrypted files.
Teslacrypt uses the following icons to confuses users into thinking that this threat is the same as CryptoLocker. Earlier the malware’s icon was called Teslacrypt, but now it is called CryptoLocker.
- Windows XP
- Windows 7
The malware’s parent file creates another process and also starts a thread that performs other malicious activities on the system after resuming the thread. The name of the thread is the same as of the parent file. This variant also uses debugging functions to check the context of the thread.
In the preceding screenshot “GetThreadContext” and “SetThreadContext” are the debugging functions that check the context of the thread.
After creating the thread, the malware terminates the following running processes:
- ProcessExplorer
- Cmd.exe
- Regedit.exe
- taskmgr
- msconfig
The malware then tries to delete shadow copies of the system through vssadmin.exe, so that the victim cannot return to previous system restore points. Also it targets the Zone.Identifier NTFS stream to delete the downloaded-files history from the system.
We found the following strings in memory; these are the targeted file extensions that the malware will encrypt.
Some of the affected games and gaming software:
- Bethesda Softworks settings file
- F.E.A.R. 2 game
- Steam NCF Valve Pak
- Call of Duty
- EA Sports
- Unreal 3
- Unity scene
- Assassin’s Creed game
- Skyrim animation
- Bioshock 2
- Leagues of Legends
- DAYZ profile file
- RPG Maker VX RGSS
- World of Tanks battle
- Minecraft mod
- Unreal Engine 3 game file
- Starcraft saved game
- S.T.A.L.K.E.R. game file
- Dragon Age Origins game
The malware sends the victims’ information to its control server:
It also stores information about the encrypted files in HTML format for later use.
We have seen the following network activity for this ransomware:
The following table describes the commands sent to the control server:
The encryption of this ransomware has not yet been cracked. The only apparent way to recover the files is to pay the ransom. (However, not all ransomware attackers decrypt files, even after receiving payment.) The attackers also offer “free” decryption, which is a fake offer.
The attacker demands a payment of either BTC1.5, or US$1,000 if victims use PayPal. The attacker prefers Bitcoins because they are harder to trace; thus payment by Bitcoin is cheaper than by PayPal.
Intel Security advises users to keep their antimalware signatures up to date at all times. McAfee products detect this threat as Ransom-Tescrypt! and Ransom-FXX!
I would like to thank my colleague Lenart Brave, who helped research this malware.
The post Teslacrypt Joins Ransomware Field appeared first on McAfee.