TeslaCrypt 4.1a: Refreshed and Ready for Action

The ransomware that started out in February 2015 infecting gamers is back in the game again. In the past two weeks there have been two updated versions released with increased evasion capability and an expanded list of extensions for encryption: (.7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet.). This latest version has been listed as version 4.1A.

How it started life
Last time around, TeslaCrypt used exploit kits (EK) on landing pages targeting gamers. These EK targeted vulnerabilities in applications including Adobe Flash Player and Internet Explorer. The security consultants FireEye traced a number of bitcoin accounts and found that in the first three-month period after launching, TeslaCrypt netted $76k (and this was probably not the total product of the malware for that period). While this is a small amount compared to some other ransomware takings, it was certainly a promising start for the developers.

TeslaCrypt Graduates
Now it’s utilizing the method of spam e-mail attachments masquerading as notices from shipping companies. When opened, these launch a JavaScript down-loader (using Windows Script Host) that brings the TeslaCrypt binary from greetingsyoungqq[.]com/80.exe. Researcher Amanda Rousseau, outlining the findings said of the improved evasive measures: “It’s really like they are trying hard to hide strings in memory. It’s much harder for [antivirus] to detect if it’s not scanning memory’. Using Wscript helps the malware to evade scans because in appears as a legitimate Windows communication and security software developers are rushing to produce updates as the variants emerge.

Other techniques that have been incorporated in v4.1A for obfuscation is the use of COM objects (component object model objects) that hide string extractions, and deletes zone identifiers. Monitoring is also hampered by Windows processes that TeslaCrypt terminates: Registry Editor, Task Manager, System Configuration; SysInternals Process Explorer, and Command Shell. It also creates a copy of itself to disk and gives this a registry value for good measure.

The other TeslaCrypt improvement since early versions is that it now has the ability to encrypt any network shares that the infected device is connected with.

The Future
The first few variants of the TeslaCrypt ransomware have been decrypted, though the later versions after v3.0 remain as yet un-cracked. Researchers are studying data that the malware leaves on an infected system in an attempt to update the previous decryptor. As the pace of malware development continues accelerating, so must the research to prevent it. For business networks, this is essential. The home user should also learn about the scourge of ransomware, and how to defend against it.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.