Following positive feedback on our blog a couple of months ago describing CTB Locker we have been requested to do a piece on another ransomware, TeslaCrypt.

Ransomware is a type of malware, becoming more common by the day, which denies access to your computer resources, e.g. by encrypting your personal documents, etc., until a hefty sum is paid to the criminal gang which caused the infection. Ransomware is terribly destructive which is why my colleague Gregory and I have decided to present our views on how to curb this scourge at the international Virus Bulletin security conference later this year.
Now then, TeslaCrypt. There has been plenty of publicly-available data on TeslaCrypt since its emergence in February. It is possible that many currently believe that TeslaCrypt attacks only gamers and gaming software. This is not the case, of course. Similar to most other ransomware TeslaCrypt encrypts documents, music and photos. In addition to these common filetypes it also encrypts files with extensions which are used specifically by gaming software.
A fresh sample of TeslaCrypt from a couple of days ago reveals that its functionality has not changed much from its first avatar, even as it is enveloped in new robes to evade detection, which it fails to do, by the by. This “latest version” (VV3) of TeslaCrypt encrypts files with the following extensions:

.sql;.mp4;.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.zip;.sie;.sum;.ibank;.t13;
.t12;.qdf;.gdb;.tax;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;
.hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.forge;
.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.vcf;.vtf;.dazip;.fpk;.wb2;
.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.ltx;
.vfs0;.mpqge;.kdb;.db0;.dba;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.xf;
.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;
.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;
.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;
.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps;.pdf;.pdd;.psd;.dbf;
.rtf;.wpd;.dxg;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;
.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;.pkpass;.mov;.vdf;
.icxs;.hvpl;.m2;.mcmeta;.mlx;.kf;.iwd;.xxx;.desc;.der;.x3f;.cr2;.crw;.mdf;


A diff between the extension list then (February-end) and now shows the following entries:

> .sql
> .mp4
< .sc2save

> .zip
< .mcgame

> .mov
< .001

> .vcf
< .DayZProfile

> .dba
< .dbfv

> .dbf

“>” indicates a new entry and “<” indicates a removed entry. Interestingly it appears there’s now a reduced emphasis on gamers and more on the general public, targeting ZIP archives and database-related files, etc.
The main ransom demand splash screen and “help” message remain relatively unchanged:

Note, the threat to double the decryption price is somewhat different from the previous one which, as usual, claimed that the private key would be deleted after the time counter has run down to 0.
Encrypted files still appear as <original file name with original extension>.ecc:

TeslaCrypt still masquerades as the infamous Cryptolocker, a year after its demise, by continuing to create a shortcut on the desktop with the said name:

As can be seen from the above image TeslaCrypt continues to execute itself as a randomly-named EXE at the root of the Application Data directory. It still drops a file called key.dat in the same location. It has been reported that key.dat contains the 256-bit AES symmetric key used to encrypt the target files, which is eminently possible. It is worth mentioning that TeslaCrypt contains references to OpenSSL functions, e.g. BN_CTX_new(), which must be used to perform the encryption. The exact format of key.dat is as yet unknown so we are unsure which part of it may be the AES key.
Thus far we have covered several indicators of compromise, and we hope you are not experiencing an uncomfortable sense of déjà vu whilst reading this blog. Let’s now address the typical queries related to malware, with the focus on TeslaCrypt and other ransomware:

  • How did it get on my computer?

TeslaCrypt’s modus operandi vis-à-vis spreading itself is via hacked websites which trigger exploits for your browser, typically referred to as a drive-by-attack. Other ransomware tend to spread via mass-mailed attachments.

  • How should I prevent an infection?

The malware should be arrested as soon possible before any damage is done. As in the case of any other malware, we would recommend the usual hygienic best practices:

  1. Surf only known, highly-reputable sites
  2. Don’t open email attachments from unknown sources
  3. Keep your security software up-to-date. Some security software such as K7’s Total Security contains Carnivore Technology to heuristically block attempts to exploit your browser
  • Now that I am infected, what should I do?

We’ll have to be brutally honest. In the case of modern ransomware you have found yourself in a difficult situation. It is typically impossible to decrypt the targeted files without the appropriate key. We strongly discourage paying any ransom to potentially obtain the key and recover your files, though, since this would only serve to fund and encourage further criminal activity.
Restoring a previous known good state from OS system restore points is sometimes an option but TeslaCrypt attempts to prevent this escape by deleting the restore points by executing the following command:
vssadmin delete shadows  /all
Instead it is hoped that you would have backed up your important files in a disciplined fashion on external media and/or on online repositories. If you are not in the habit of backing up your files, we would highly recommend this practice. Please note, a general hard disk failure is much more likely to strike you than a ransomware infection!
We hope this content helps build awareness about malware in general and ransomware in particular, with an emphasis on TeslaCrypt, thus aiding the relentless battle against innumerable cyber bandits.
Generic ransomware image (first) courtesy of:
files.itproportal.com
Samir Mody
Senior Manager, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.