The newest version of the TeslaCrypt ransomware encryptor shows an HTML page in the web browser which is an exact copy of one of its competitors, CryptoWall 3.0, another ransomware program.
Early samples of TeslaCrypt 2.0 ended up detected in February 2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer gamers, said researchers at Kaspersky Lab. Among other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB.
When TeslaCrypt infects a new victim, it generates a new unique Bitcoin address to receive the victim’s ransom payment and a secret key to withdraw it. TeslaCrypt’s C&C servers are in the Tor network.
The Trojan’s version 2.0 uses two sets of keys: One set is unique within one infected system, the other generates repeatedly each time the malicious program re-launches in the system. Moreover, the secret key with which user files end up encrypted is not on the hard drive, which makes decrypting the user files significantly more complicated.
Programs from TeslaCrypt malware family propagate via the Angler, Sweet Orange and Nuclear exploit kits. Under this malware propagation mechanism, the victim visits an infected web site and the exploit’s malicious code uses browser vulnerabilities, most typically in plugins, to install the dedicated malware on the target computer.
In its latest modification, “TeslaCrypt convinces victims they are dealing with CryptoWall – once the latter encrypts user files, there is no way to have them decrypted. However, all links lead to a TeslaCrypt server – apparently, the malware authors have no intention of giving their victims’ money away to a competitor,” said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.