Across the world, hackers are taking control of networks, locking away files and demanding sizable ransoms to return data to the rightful owner. A new variant of the TeslaCrypt ransomware was released that contains some minor changes.  The version number is still 3.0. but the ransom notes have been renamed and the file extension for encrypted files is now .MP3. Similar to other variants, it uses an AES symmetric algorithm to encrypt files.

TeslaCrypt is distributed widely via the Angler Exploit Kit and a few other known exploit kits. Using Angler, it exploits Adobe Flash (CVE-2015-0311) and, once successfully exploited, it downloads TeslaCrypt as a payload.

Angler is exploited via an injected iframe from the compromised website. It redirects to a landing page that is highly obfuscated, contains anti-vm techniques, and performs checks for the presence of antivirus software or malware analysis tools like fiddler, etc.

Encryption

TeslaCrypt creates key.dat under %appdata% where it also drops a copy of itself and creates log.html to store the list of files encrypted. It encrypts user-specific files by enumerating all directories including network drives.

Network Communication

After encrypting a specific list of files, it connects to the command and control server via the TOR network using different TOR proxy servers along with specific details as base-64 encoded parameter.

Unfortunately, there is still no way to decrypt this latest version of TeslaCrypt. Teslacrypt 3.0 holds data stored in a computer system for ransom. The data remains on a host machine. The virus applies a sophisticated encryption so that any application cannot read the affected files. To render files with .mp3 extension into a readable format, a victim is told to pay the ransom.

If you don’t have a decent backup, and you want to recover your data, you don’t have much choice but to pay up.

Apart from having your antivirus up to date, there are additional system changes to help prevent or disarm ransomware infections that a user can apply.

1. Back up your files.

The best way to ensure you do not lose your files to ransomware is to back them up regularly. Storing your backup separately is also key – as discussed, some ransomware variants delete Windows shadow copies of files as a further tactic to prevent your recovery, so you need to store your backup offline.

2. Apply windows and other software updates regularly.

Keep your system and applications up to date. This gives you the best chance to avoid your system being exploited using drive-by download attacks and software (particularly Adobe Flash, Microsoft Silverlight, Web Browser, etc.) vulnerabilities which are known for installing ransomware.

3. Avoid clicking untrusted email links or opening unsolicited email attachments.

Most ransomware arrives via spam email either by clicking the links or as attachments. Having a good email anti-virus scanner would also proactively block compromised or malicious website links or binary attachments that lead to ransomware.

4. Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.

We’ve seen many malicious documents that contain macros which can further download ransomware silently in the background.

5.  Install a Firewall – block Tor and I2P, and restrict to specific ports.

Preventing the malware from reaching its call-home server via the network can disarm an active ransomware variant. As such, blocking connections to I2P or Tor servers via a firewall is an effective measure.

6. Disable remote desktop connections.

Disable remote desktop connections if they are not required in your environment, so that malicious authors cannot access your machine remotely.

7. Block binaries running from %APPDATA% and %TEMP% paths.

Most of the ransomware files are dropped and executed from these locations, so blocking execution would prevent the ransomware from running.

If you have been hit by Ransomware or you want to find out how to prevent this, simply contact our security experts!