15/03/2016
17:29

New TeslaCrypt variant found!

New TeslaCrypt 4.0 variant encrypts files without renaming them.

A new variant of the TeslaCrypt ransomware, namely TeslaCrypt 4.0, has been identified.

The evolution seems to have taken place in two phases.

The first phase has been the release of a newer core for the TeslaCrypt; a different library for AES encryption is used, and then files are renamed by adding the .mp3 extension.

In the second phase has been the evolution of TeslaCrypt into its fourth version, TeslaCrypt 4.0, which encrypt files without renaming them (i.e. without adding an extension like its "predecessors").

INDEX

==> How TeslaCrypt 4.0 works
 
==> The ransom demanded by TeslaCrypt 4.0

==> How to stay safe from TeslaCrypt 3.0

==> How to contain TeslaCrypt 4.0 encryption damage

==> Is it possible to decrypt encrypted files?

==> Final thoughts
 
So far, it looks like TeslaCrypt 4.0 is being spread via infected websites - navigation on such websites causes infection and execution of this new variant.


How TeslaCrypt 4.0 works

Phase #1
Filename: ANUOMV.EXE
MD5: BF507EF129D5AC6E2177BBAFA4D533EA
Size: 402811 bytes
Notes: a 256 bit AES encryption algorithm is used. Encrypted files are added the .mp3 extension.

Phase #2
Filename: tmikpb.exe
MD5: 0F51AD6D48751C5AED6DDEBAD68C543F
Size: 394964 bytes
Notes: a 256 bit AES encryption algorithm is used. No extension is added to encrypted files.


Other TeslaCrypt 4.0 MD5s:
  • 8BDBDF3FD9CFF9E0DB7A483186CF201D
  • 5EDDB9F8B1B1E7E8C93F924C7E0CCD72

Once TeslaCrypt 4.0 is executed, its carrier file is moved into the user's %DOCUMENT% folder with a random name (i.e. tmikpb.exe). The Windows Registry is edited to automatically run the malware at every boot:
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[_qmua] = C:\WINDOWS\SYSTEM32\CMD.EXE /C START C:\USERS\<username>\DOCUMENTS\FGRCWU.EXE
 

Strings of the new TeslaCrypt 4.0 core:
!secp256k1_fe_is_zero(&ge->x)
pubkey != NULL
input != NULL
outputlen != NULL
*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65)
output != NULL
seckey != NULL
secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)
result != NULL
point != NULL
scalar != NULL

The secp256k1 elliptic curve was once used by TeslaCrypt with the OpenSSL library.

Back to top


The ransom demanded by TeslaCrypt 4.0

TeslaCrypt 4.0 demands a ransom to have data decrypted - the equivalent of 500 USD in BitCoin for every key. This means that if the user reboots the computer n times, files are going to be encrypted with n+1 different keys, so the amount of money that will have to be paid to have all files decrypted will be 500*(n+1). For example: 2 reboots, 3 keys → 3*500 = 1.500 USD in BTC.
Back to top

How to stay safe from TeslaCrypt 4.0

One should never forget that links and email attachments could hide viruses/malwares. This rule applies to emails coming from unknown addresses, but also to apparently familiar ones from which an email with attachment (such as an invoice) was not expected. Vir.IT eXplorer PRO users have a great chance to save all their data from encryption!

It was stated in our previous bulletins that Vir.IT eXplorer PRO's Anti-CryptoMalware module was able to stop these attacks saving up to 99.63% of files, allowing a complete recovery of encrypted files thanks to backup technologies, namely:
  • On-The-Fly Backup;
  • Vir.IT BackUp.

This only occurs if Vir.IT eXplorer PRO is:

  • correctly INSTALLED;
  • UP-TO-DATE;
  • properly CONFIGURED - Anti-Crypto Malware technology has to be active in the Settings tab of Vir.IT Security Monitor (it is active by default); plus Vir.IT BackUp has to be configured and running.


Starting with version 8.1.31, Vir.IT eXplorer PRO can "snatch" TeslaCrypt 4.0 encryption key on-the-fly in the early stages of the attack, thus making a decryption feasible - it can be done with the assistance from TG Soft's tech support.
Remember - every time the malware is executed, a new encryption key is used. This means that every time the computer is rebooted and the malware is still active, TeslaCrypt will use a different key (n reboots → n+1 different keys).

Back to top

How to contain TeslaCrypt 4.0 encryption damage

Since a new key is created every time the malware is executed - which only happens when the computer is rebooted - the computer should always stay turned on, in order to have the minimun number of keys possible, and qualified tech support (such as TG Soft's) should be contacted immediately.

When the Alert shown in the picture pops up on the screen, Vir.IT eXplorer PRO's Anti-CryptoMalware module has come into action, halting the malware. Do not panic and perform these operations:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.


    5. In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.

 

 Anti-Crypto Malware protection screenshot
Click to show the picture fullscreen
 

99,63%*

Mean percentage of files protected from encryption thanks to Vir.IT eXplorer PRO


Is it possible to decrypt .micro files?

Yes, if Vir.IT eXplorer PRO was correctly set up before the attack and it snatched encryption keys.
Back to top

Final thoughts

We invite you to be very careful when opening email attachments. If you are not waiting for a parcel then you really shouldn't open emails like the one we analyzed. Always double-check the sender's email address (which is not the sender's name) before opening an attachment.


If you opened an infected attachment and an encryption started to take place, you could either:
  1. have Vir.IT eXplorer PRO installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;
  2. have a AntiVirus software that doesn't detect, signal and halt the ongoing encryption - in this case you still may want to
    • UNPLUG EVERY NETWORK CABLE
    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highly not recommended).
Either way, remain calm and do not panic.


TG Soft
Public relations
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: