Security researcher Fedor Sinitsyn reported on the new TeslaCrypt V2.0. This family of ransomware is relatively new, it was first detected in February 2015. It's been dubbed the "curse" of computer gamers because it targets many game-related file types. The attackers are focusing on the U.S. and Germany. See the hotmap to the right.
The innovation rate of TeslaCrypt is furious, lots of changes are being made, including ripping off CryptoWall's identity, which is a clear case of borrowing CryptoWall's reputation, trying to make people pay as soon as possible. The encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm.
Early versions of TeslaCrypt were designed to check whether a Bitcoin payment had been successfully made on the blockchain.info site. If the payment was received, the malware reported this to the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert could send a request to the C&C and get the necessary key without making a payment. This has been corrected / replaced with a completely new decryption feature.
The TeslaCrypt family gets distributed using Exploit Kits like Angler, Sweet Orange and Nuclear. It focuses on malvertising (malicious ads on large sites like Yahoo, Drudge, CBSSports and HuffPost), paid for by stolen credit cards. This is very hard to defend against. Here is how that works: when a victim visits an infected website, the Exploit Kit scans the victim's browser and finds vulnerabilities (usually in plugins) and installs the Trojan in the system.
What To Do About It
- Backup your important files frequently. Store the backup files on write-only drives as part of the backup process. At home, you could use an external hard drive, and unplug the drive after backing up.
- Immediately update your browser when new versions are released, and also update the browser plugins regularly. Try to use the minimum amount of plugins, these are often badly written. However, it's time to start using AdBlocker plugins, and filter out all the malvertising before it hits your end-user.
- Scan workstations for outdated versions of third-party apps and update these ASAP. Secunia is a good tool for this.
- Step all users through effective security awareness training, because ransomware also uses phishing and infected email attachments as major infection vectors.
Check out the KnowBe4 website and find out how affordable Kevin Mitnick Security Awareness Training is, you will be pleasantly surprised:
More details at the securelist.