TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.
TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.
Machines infected by TeslaCrypt will usually have the following files present in almost every directory:
The recovery instructions for the encrypted files can be found inside these files.
Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.
The malware starts by ensuring it’s in its intended directory. For this sample, it checks if it is located in the Documents directory. If it’s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.
The ransomware creates multiple threads that do the following:
- Monitors processes and terminates those that contain the following strings:
- Contacts the C&C server and sends certain information like system information and the unique system ID.
- File encryption routine
TeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.
The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.
TeslaCrypt uses AES encryption and will send one part of the key to its C&C server, which will render the files irrecoverable on its own.
It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.
TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:
.3FR .7Z .ACCDB .AI .APK .ARCH00 .ARW .ASSET .AVI .BAK .BAR .BAY .BC6 .BC7 .BIG .BIK .BKF .BKP .BLOB .BSA .CAS .CDR .CER .CFR .CR2 .CRT .CRW .CSS .CSV .D3DBSP .DAS .DAZIP .DB0 .DBA .DBF .DCR .DER .DESC .DMP .DNG .DOC .DOCM .DOCX .DWG .DXG .EPK .EPS .ERF .ESM .FF .FLV .FORGE .FOS .FPK .FSH .GDB .GHO .HKDB .HKX .HPLG .HVPL .IBANK .ICXS .INDD .ITDB .ITL .ITM .IWD .IWI .JPE .JPEG .JPG .JS .KDB .KDC .KF .LAYOUT .LBF .LITEMOD .LITESQL .LRF .LTX .LVL .M2 .M3U .M4A .MAP .MCMETA .MDB .MDBACKUP .MDDATA .MDF .MEF .MENU .MLX .MOV .MP4 .MPQGE .MRWREF .NCF .NRW .NTL .ODB .ODC .ODM .ODP .ODS .ODT .ORF .P12 .P7B .P7C .PAK .PDD .PDF .PEF .PEM .PFX .PKPASS .PNG .PPT .PPTM .PPTX .PSD .PSK .PST .PTX .PY .QDF .QIC .R3D .RAF .RAR .RAW .RB .RE4 .RGSS3A .RIM .ROFL .RTF .RW2 .RWL .SAV .SB .SID .SIDD .SIDN .SIE .SIS .SLM .SNX .SQL .SR2 .SRF .SRW .SUM .SVG .SYNCDB .T12 .T13 .TAX .TIFF .TOR .TXT .UPK .VCF .VDF .VFS0 .VPK .VPP_PC .VTF .W3X .WALLET .WB2 .WMA .WMO .WMV .WPD .WPS .X3F .XF .XLK .XLS .XLSB .XLSM .XLSX .XXX .ZIP .ZTMP
The exception, however, is if the file contains the string “recove” or if it is found in the following directories:
- %WINDIR% (C:\Windows)
- %PROGRAMFILES% (C:\Program Files)
- %COMMONAPPDATA% (C:\Documents and Settings\All Users\Application Data for Windows XP and C:\ProgramData for Windows Vista and above)
- %LOCALAPPDATA%\Temporary Internet Files (C:\Documents and Settings\[USERNAME]\Local Settings for Windows XP and C:\Users\[USERNAME]\AppData\Local for Windows 7 and above)
Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.
Encrypted files’ headers contain data that includes – but isn’t limited to – the global recovery key, the global public key, the original file size and the encrypted data itself.
The malware tries to connect to one of the following domains:
If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:
- The shared key for the encryption
- Bitcoin address
- OS version
- TeslaCrypt version
- Unique ID for the infected system
To ensure the malware only has one instance running, it creates a mutex as “8_8_8_8.”
It creates an auto start registry entry to ensure execution every startup.
It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.
Interestingly enough, though, it appears the gang behind TeslaCrypt has had a change of heart and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.
Advanced threat defense products like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage. You’ve got two great lines of defense: The first is via email and the next is your network.
Advanced email defense solutions like ThreatSecure Email are designed to catch malware that evades traditional defenses. It’s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.
The next stop is bolstering your network. Adding an advanced defense solution that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. ThreatTrack’s ThreatSecure Network, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&C.