TeslaCrypt 3.0 Ransomware Now Appends .MP3 Extension To Filenames

The infamous ransom Trojan dubbed TeslaCrypt reflects a continuous evolution of cyber racketeering mechanisms. It surfaced in February 2015 as an infection that chiefly targeted gamers, subsequently morphing into a more flexible extortion tool with wide attack surface and advanced encryption routine.

The TeslaCrypt epidemic has gone through a total of three iterations ever since. The first two editions weren’t foolproof as the perpetrators implemented AES (Advanced Encryption Standard) in a ridiculously inefficient way. The decryption keys were stored inside an easily accessible file on a contaminated computer rather than be transmitted to a remote Command and Control server.

This evident imperfection allowed security analysts to come up with a data recovery technique through the use of a specially crafted tool called TeslaDecoder. Owing to the researchers’ remarkable work, infected users were able to retrieve their frozen files for months at a stretch. This grace period, however, ended abruptly with the emergence of TeslaCrypt 3.0.

The updated version features a number of tweaks that makes the decryptor inefficient. The extortionists probably realized their previous mistakes and corrected the flaws. In particular, the ransomware no longer keeps AES keys on the targeted machine. This fundamental modification of the key exchange algorithm, combined with impracticability of brute-forcing the crypto proper, renders the Trojan uncrackable for the time being.

It’s relatively easy to determine the version and figure out whether it’s possible to get around the encryption. TeslaCrypt uses specific markers as new editions are released – these include file extensions and the names of ransom note documents. The currently active build appends every encrypted file with .mp3 extension. For instance, a filename ‘random.jpg’ becomes ‘random.jpg.mp3’ as a result of the attack. When confronted with this sample, users are currently bound to redeem their personal information by paying the scammers.

The Trojan provides the entirety of recovery and payment directions in .htm, .txt and .png files titled _H_e_l_p_RECOVER_INSTRUCTIONS+(3 characters). These documents can be found inside each folder holding encrypted data. According to the ransom notes, the victim must submit a Bitcoin equivalent of 500 USD to get the proprietary files back.

The amount doubles if the user doesn’t pay up within a 72-hour deadline. The ransomware uses a DGA (domain generation algorithm) to create several relevant payment pages for every contaminated person. The extortionists also indicate a unique Tor gateway address as an alternative online spot for financial transactions. The whole campaign, therefore, is skillfully protected against tracking and attribution, which explains why the criminals are still on the loose.

As far as the propagation goes, TeslaCrypt operators didn’t reinvent the wheel. They have been leveraging an efficient mix of social engineering and exploit kits to deliver the ransomware payload. A blatant example of this activity is the hack of The Independent new site, which hit the global security headlines in late November 2015. By compromising the blog section of the website, the offenders were able to run an exploit that stealthily downloaded TeslaCrypt to the visitors’ computers. The Angler exploit kit used in this onslaught took advantage of vulnerabilities in outdated versions of Adobe Flash Player.

Phishing poses a standalone vector of serving this ransomware. The fraudsters send out catchy emails that contain attachments masqueraded as invoices, payrolls, CVs or UPS tracking information. One click is enough to unknowingly execute the infection on a machine. This technique is on the rise as the extortionists have started to focus on attacking organizations rather than consumer PCs. Employees may thus receive spear-phishing messages designed as if they were sent by a colleague or a partnering company.

TeslaCrypt prevention techniques stem from the analysis of its distribution channels. It’s strongly recommended to update potentially vulnerable software like Adobe Flash and Java as soon as patches are available. Users should also steer clear of suspicious emails and refrain from opening files attached to them. The most important countermeasure, though, is to make backups. In this case, restoring files is easy even if the Trojan turns them into crooked .mp3 objects.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.