Endpoint Protection

 View Only

Major TeslaCrypt ransomware offensive underway 

Dec 14, 2015 09:00 AM


Attack groups behind the ransomware known as TeslaCrypt (detected by Symantec as Trojan.Cryptolocker.N) have ramped up activity in the past two weeks, sending out massive volumes of spam emails seeded with the malware. TeslaCrypt uses strong encryption to encrypt a wide range of files on the victim’s computer. Its creators have continually refined the malware and the tactics used to distribute it, making it one of the more dangerous threats currently in circulation.

Figure 1. TeslaCrypt (Trojan.Cryptolocker.N) detections since August 1, 2015

Much of the current wave of TeslaCrypt attacks involves spam emails using a range of social engineering techniques to lure the recipient into opening them. Examples of the subject lines used in these emails include:

  • [ID:{RANDOM NUMBER}] Would you be so kind as to tell me if the items listed in the invoice are correct?
  • [ID: {RANDOM NUMBER}] Please accept our congratulations on a successful purchase and best wishes.
  • [ID{RANDOM NUMBER}] Would you be nice enough to provide us with a wire transfer confirmation.

Each email contains an attachment with a file name usually including the word “invoice”, “doc”, or “info”, in addition to random characters. The attachment may have the .zip file extension or may have no file extension at all. Although disguised as a legitimate document, the attachment is, in fact, a JavaScript file containing heavily obfuscated malicious code intended to evade antivirus scanners. This attached file is detected by Symantec as JS.Downloader.

Should the recipient open this attachment, the file will download and install TeslaCrypt on the user's computer. The latest version of TeslaCrypt, known as version 2.2, will encrypt the user’s files and append their file names with a .VVV extension. The file extension used changes regularly. For example, the previous TeslaCrypt version (2.1) used a file extension of .CCC.

The malware will also create two files on the computer, one plain text and one HTML, which both contain instructions on how to pay the ransom and receive a decryption key. The ransom message instructs the victim to install the anonymous Tor web browser and visit a Tor website for further instructions.

Figure 2. Example of the latest TeslaCrypt ransom message

TeslaCrypt is commodity malware and can be purchased on the underground black market. Attack groups pay TeslaCrypt’s authors for the use of the platform and possibly also for access to various distribution channels, such as spam botnets or exploit kits. Because of this, it is difficult to identify any one perpetrator responsible.

Each group who purchases the malware is assigned a unique ID number in the malware version they receive. Groups may employ different attack methods to distribute the malware, such as spam emails or exploit kits. Symantec telemetry indicates that one group in particular is behind much of the recent spike in TeslaCrypt activity and it appears to be using spam email as its main distribution method.

Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and consumers should be on their guard, keep their security software regularly updated, and exercise caution when opening emails from unfamiliar sources. Users should also regularly back up any files stored on their computers. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer.

A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats, Symantec Web Gateway blocking web-based threats, and Symantec Endpoint Protection.

Symantec and Norton products protect against TeslaCrypt with the following detections:



Further reading
If you would like to find out more about the threat posed by ransomware, you can read our whitepaper: The evolution of ransomware

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.