Mighty TeslaCrypt

March 30, 2016     No Comments on Mighty TeslaCrypt     ,      admin

Ransomware is not a new concept. Some early examples such as GpCode spread as early as 2006, but the recent surge of new highly advanced Ransomware is like nothing the world has ever seen.

Most of what we see today can be traced back to CryptoLocker and CryptoWall.  These two ransomeware alone have netted their makers hundreds of millions dollars in ransom.  It’s no surprise that other “bad actors” have realized that there is big money in this game and they are each trying to claim their unfair share.

Not all ransomware are created equal.  One recent example is TeslaCrypt.  While some ransomware variants like Cerber and Petya are not very sophisticated, TeslaCrypt is an exception.  Its advanced characteristics include:

  1. No plain text binary downloads – making it almost impossible for sandboxes to extract its binaries and analyze
  2. Advanced packing skills making AV signature based detection very difficult
  3. Changes its URIs and domains on the fly to evade signature and domain black listing solutions
  4. Use of compromised domains to fool DNS reputation based systems.

EXAMPLE

Yesterday we spotted a new variant of TeslaCrypt 4.0 that uses multiple zero day C&C domains. The URI structure is completely different from previous versions as well.

The two main C&C Urls for this variant are:

drlarrybenovitz [.] com/ qhcka/ templates/ binarystings.php
holishit [.] in  /wp-content/ plugins/ wpclef/ assets/ src/ sass/ neat/ grid/ binarystings.php

Where “holishit [.] in” looks like a compromised domain.

picture3

TeslaCrypt uses a chain of C&C servers so that if a server is taken down or is otherwise offline, it moves to the next C&C server.  At the time of this writing the coverage for both of these domains is very limited on VT.

pciture1

picture2

In fact no single vendor is able to detect both C&C domains – and since TeslaCrypt cycles through a list of C&C domains, if even one single domain is accessible, the infected machine will be held for ransom.

Once installed, TeslaCrypt behaves much like other ransomware displaying a banner on the desktop and offering to sell the victim a program to decrypt his files.

banner1

In the last 2 months or so we have observed more than 160 TeslaCrypt C&C and dropzone domains.

Here are the top 50 domains.

picture5

Becoming a victim of any Ransomware attack is a nightmare for an individual or an organization. If safety checks like regular data backup are not in place, a company can be crippled for weeks.  For computers that control life safety equipment (hospitals, power plants, refineries, etc.) the consequences can be even more severe – and possibly life threatening.

Ransomware is also having a significant  impact on cyber security vendors.  Subtle malware like a password stealer or data exfiltration bot that are missed by the current crop of  malware prevention products might go unnoticed by IT staff,  but because ransomeware acts so quickly, it is instantly noticed by IT staff and highlights the deficiencies of their existing malware prevention products.  While the net effect of ransomware is surly negative, the unintended consequence is that companies will shift their protection to newer, more sophisticated products, ultimately reducing *all* malware and making everyone’s data that much more secure.

A list of best practices that all companies should apply to protect themselves against this latest breed of cyber attack is available in our previous post.

Leave a Reply

Your email address will not be published. Required fields are marked *