Major TeslaCrypt Ransomware Offensive Underway

TeslaCrypt Phishing Email HeaderThis month, Symantec researchers reported a boost in TeslaCrypt attacks, going from 200 a day to 1,800. 

TeslaCrypt first appeared in March 2015, and differentiated itself because many of the 185 file types it targeted were associated with computer games and -- content that users would have a hard time replacing.

As is common with new strains of ransomware, initially security researchers found a weakness in TeslaCrypt's encryption routine and created a tool that could decrypt files affected by some versions of the program. However, the developers went back to the drawing board and came up with new, improved versions which they started selling on the underground market to other cybercriminals.

The number of attacks have stayed relatively low until late November when the number of TeslaCrypt infection attempts detected by Symantec went up dramatically, suggesting that one cybercriminal group is ramping up its use of this malicious program.


TeslaCrypt Ransomware Detections

Much of the current wave of TeslaCrypt attacks involves spam emails using a range of social engineering techniques to lure the recipient into opening them. Examples of the subject lines used in these emails include:

  • [ID:<random number>] Would you be so kind as to tell me if the items listed in the invoice are correct?
  • [ID: <random number>] Please accept our congratulations on a successful purchase and best wishes.
  • [ID<random number>] Would you be nice enough to provide us with a wire transfer confirmation.

The TeslaCrypt email attachments can include the words "invoice," "doc," or "info," but in reality they contain heavily obfuscated JavaScript code designed to evade antivirus detection and download the ransomware program.

If the attack is successful, the program will encrypt all files with a strong encryption algorithm and will add the .VVV extension to them. It will also drop text and HTML ransom notes that instruct victims how to access Tor-hosted sites in order to pay the ransom.

"Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and consumers should be on their guard, keep their security software regularly updated, and exercise caution when opening emails from unfamiliar sources," the Symantec researchers said in a blog post. "Users should also regularly back up any files stored on their computers. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer.

TeslaCrypt infections can be prevented with effective security awareness training. Find out how affordable that is for your organization and be pleasantly surprised!

Get A Quote Now  

Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews