TeslaCrypt 4.0: Bigger, Badder and Unbreakable

Written by

The ransomware known as TeslaCrypt has enhanced its code—to include unbreakable encryption and a rash of upgrades.

TeslaCrypt was first designed to target computers that have specific computer games installed—but has since widened its purview. The trojan will encrypt all files and lock victims out of their systems, and then ask for ransom for the decrypt key, which can vary between $150 and $1000 worth of bitcoins.

TeslaCrypt 4.0, uncovered by Heimdal Security, has a nifty new feature: RSA 4096 for encrypting data. Consequently, the data held hostage will be impossible to recover if the victim doesn’t have a backup copy.

Also, “It’s important to know that the tool ‘TeslaDecoder‘ no longer works with Teslacrypt 4.0,” explained Heimdal security specialist Andra Zaharia, in an analysis. “Unfortunately, this is one of the many fixes that the cyber-criminals have included in the new version.”

So, in the case of data compromise, only two options remain: to restore the data from a secure backup or to pay the ransom (which is obviously not recommended).

The group behind TeslaCrypt has also fixed a bug related to encryption of large data files. In previous versions, files larger than 4GB would be permanently damaged when encrypted. This is no longer an obstacle for the attackers.

The new strain is also greedier: Once the malicious code is run, the attackers can extract even more data than before from the local machine. The harvested data is then compiled into a unique key, while, at the same time, the ransomware will recruit the affected PC into a central botnet.

Similar to previous campaigns, TeslaCrypt 4 is being dispersed through drive-by attacks carried out using the Angler exploit kit. Heimdal is blocking more than 600 domains spreading the EK, and it predicts that the daily average will increase up to 1,200 domains.

The first version of TeslaCrypt emerged in March 2015, while the creators launched the second version in November 2015. That second version was found to be borrowing from the Carberp trojan in the way that it attempts to obscure code to evade signature detection. It hit consumers and businesses hard back in December, accounting for 70,000 different incidents in the span of a week.

Since then, TeslaCrypt creators moved even faster: they launched TeslaCrypt 3.0 in January 2016, and now, only three months later, the fourth version is out.

“We can expect cyber attackers to iterate even faster, in order to block decryptors that can appear on the market and secure a constant revenue stream to fund their attacks,” Zaharia said.

Photo © underworld

What’s hot on Infosecurity Magazine?