There has been a sudden increase in cryptographic ransomware variants in the last week, centered around the TeslaCrypt ransomware.
TeslaCrypt was first designed to target computers that have specific computer games installed—but has since widened its purview. The trojan will encrypt all files and lock victims out of their systems, and then ask for ransom for the decrypt key, which can vary between $150 and $1000 worth of bitcoins.
While TeslaCrypt is not new, having been around in various iterations since February, security firm iSheriff said that a notable spike in usage has translated into more than 70,000 different incidents in the span of a week. Many of these are borrowing from the Carberp trojan in the way that it attempts to obscure code to evade signature detection.
“Borrowing code is not new for TeslaCrypt, as it borrowed from malware like CryptoLocker in the past,” said Mark Parker, senior product manager at iSheriff, via email. “We are theorizing that this specific increase shows some business savvy on the criminal enterprise behind TeslaCrypt.”
This particular storm of new variants is particularly well-thought-out, given its timing.
“The victims are generally busier this time of year, and due to end-of-year bonuses, the maturation of holiday savings bonds, and access to holiday savings accounts, users are more likely to have a little more cash on hand to pay the ransom,” he explained. “The additional cash on hand, coupled with the stress and business of the holiday season, makes end users more likely to pay the ransom to retrieve their files.”
And it’s no secret that ramsomware can be supremely profitable. Parker added that data from recent Angler exploit kit domain takedowns shows that cryptographic malware is generating more than $60 million a year in revenue—so clearly there’s reason for going back to that well if you’re a cybercriminal.
In a separate analysis, Heimdal Security said that in its first round of infections, between February and April 2015, the TeslaCrypt perpetrators extorted $76,522 from 163 victims.
“This amount may seem trivial compared to millions made annually on other cybercrimes, or the estimated $3 million the perpetrators of CryptoLocker were able to make during nine months in 2013-14,” Andra Zaharia, security specialist at Heimdal Security, said in a blog. “However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims.”
Heimdal Security, which also noticed the spike, said that there’s a new twist to this boost in TeslaCrypt infections: the encrypting ransomware is distributed through a very strong spam campaign. The primary vector for this round of threats is via email, both in the form of an infected attachment, and in the form of a blended email-to-web attack where a link in a carefully crafted email drives a user to an infected page or download.
Also, it’s notable that while the group behind TeslaCrypt focused on individual users at first, this campaign is going after targets that are mainly companies in the US and in Northern Europe, especially Germany, UK, France, Italy and Spain.
Photo © Lightboxx