The ransomware that started out in February 2015 infecting gamers is back in the game again. In the past two weeks there have been two updated versions released with increased evasion capability and an expanded list of extensions for encryption: (.7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet.). This latest version has been listed as version 4.1A.
How it started life
Last time around, TeslaCrypt used exploit kits (EK) on landing pages targeting gamers. These EK targeted vulnerabilities in applications including Adobe Flash Player and Internet Explorer. The security consultants FireEye traced a number of bitcoin accounts and found that in the first three-month period after launching, TeslaCrypt netted $76k (and this was probably not the total product of the malware for that period). While this is a small amount compared to some other ransomware takings, it was certainly a promising start for the developers.
Other techniques that have been incorporated in v4.1A for obfuscation is the use of COM objects (component object model objects) that hide string extractions, and deletes zone identifiers. Monitoring is also hampered by Windows processes that TeslaCrypt terminates: Registry Editor, Task Manager, System Configuration; SysInternals Process Explorer, and Command Shell. It also creates a copy of itself to disk and gives this a registry value for good measure.
The other TeslaCrypt improvement since early versions is that it now has the ability to encrypt any network shares that the infected device is connected with.
The first few variants of the TeslaCrypt ransomware have been decrypted, though the later versions after v3.0 remain as yet un-cracked. Researchers are studying data that the malware leaves on an infected system in an attempt to update the previous decryptor. As the pace of malware development continues accelerating, so must the research to prevent it. For business networks, this is essential. The home user should also learn about the scourge of ransomware, and how to defend against it.