{"id":15082,"date":"2015-07-21T16:29:41","date_gmt":"2015-07-21T16:29:41","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=4254"},"modified":"2019-11-15T07:03:15","modified_gmt":"2019-11-15T12:03:15","slug":"games-changing-new-version-of-teslacrypt-mimics-a-big-brother","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/games-changing-new-version-of-teslacrypt-mimics-a-big-brother\/15082\/","title":{"rendered":"Games changing: new version of TeslaCrypt mimics &#8220;a big brother&#8221;"},"content":{"rendered":"<p>These days, ransomware-related news stories look a bit like, well, war chronicles. In fact, this is the consequence of an elevated attention to this particular kind of threat; similar things occurred in early the 2000s when net-worms thrashed the Web. Today\u2019s malware can be equally damaging, but first and foremost it exists to extract profit from the victims. In this post we\u2019ll take a look at a new version of TeslaCrypt ransomware, which recently started mimicking CryptoWall, <a href=\"https:\/\/business.kaspersky.com\/cryptowall-3-0-an-evolution-twist\/4137\" target=\"_blank\" rel=\"noopener nofollow\">previously featured on our blog<\/a>.<\/p>\n<p><strong>Copycat<\/strong><\/p>\n<p>TeslaCrypt is a relatively new variant of the much-dreaded CryptoLocker, which made a lot of buzz after it had been discovered\u00a0<a href=\"https:\/\/business.kaspersky.com\/pay-to-play-again-a-cryptolocker-variant-goes-after-the-gamers\/3715\" target=\"_blank\" rel=\"noopener nofollow\">targeting online gamers<\/a>.<\/p>\n<p>Criminals have discovered yet another source of relatively easy money \u2013 hardcore gamers are expected to pay willingly for regaining access to their content \u2013 even though in most online games the crucial player-unique data is stored in the cloud, not locally.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Games changing: new version of #TeslaCrypt mimics \u201ca big brother\u201d<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FaoW1&amp;text=Games+changing%3A+new+version+of+%23TeslaCrypt+mimics+%26%238220%3Ba+big+brother%26%238221%3B+\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Still, this CryptoLocker variant, now called TeslaCrypt, can encrypt any other important files, so the gamers are not the only potential victims.<\/p>\n<p>The new version, intercepted recently by Kaspersky Lab researchers, has two distinct new features: a new encryption scheme and a new \u201cwarning message\u201d.<\/p>\n<p>Actually,\u00a0the latter is anything but new: For some wicked reason the TeslaCrypt operators have \u201cborrowed\u201d the warning screen from Cryptowall.<\/p>\n<p>Why? Fedor Sinitsyn of Kaspersky Lab, in an analysis of the new ransomware, speculates that the attackers \u201cwanted to impress the gravity of the situation on their victims\u201d, since the files encrypted by CryptoWall cannot be cracked without knowing a secret key \u2013 while with TeslaCrypt it is possible.<\/p>\n<p>Although, this may become a bit more difficult since the encryption scheme has been improved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm, which has been implemented in versions 0.3.x; in this version it seems more relevant because it serves a specific purpose: enabling the attackers to decrypt files using a \u2018master key\u2019 alone.<\/p>\n<p>The detailed analysis is available at <a href=\"https:\/\/securelist.com\/blog\/research\/71371\/teslacrypt-2-0-disguised-as-cryptowall\/\" target=\"_blank\" rel=\"noopener\">Securelist<\/a>.<\/p>\n<p><strong>What is important here for businesses?<\/strong><\/p>\n<p>In a general sense, TeslaCrypt is not much different than other recent ransomware as a threat. It has some evasion features, communicates with C&amp;C servers over the web \u2013 although the servers themselves are in Tor network (tor2web services are used here). It\u2019s a\u00a0much a less scary beast than it wants to appear: It scares the victims with 2048-bit RSA encryption, but there\u2019s none. In fact, there\u2019s a 256-bit encryption used, and sometimes the encrypted files can be recovered without paying anything. But just sometimes.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#TeslaCrypt barks more than bites, but bites nevertheless.<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FaoW1&amp;text=%23TeslaCrypt+barks+more+than+bites%2C+but+bites+nevertheless.\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>The more appropriate way to deal with this is to use the set of well-known measures: regularly updated software, up-to-date anti-malware solution with exploit prevention functionality \u2013 this is especially important since TeslaCrypt is known to be dropped by a number of exploit kits.<\/p>\n<p>And first and foremost, there must be \u201ccold storage\u201d backups in place It is the best way to prevent all kinds of encrypting ransomware from damaging your data.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>These days, ransomware-related news stories look a bit like, well, war chronicles. In fact, this is the consequence of an elevated attention to this particular kind of threat; similar things occurred in early the 2000s when net-worms thrashed the Web.<\/p>\n","protected":false},"author":209,"featured_media":15626,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[1164,420,1106],"class_list":{"0":"post-15082","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cryptowall","10":"tag-ransomware","11":"tag-teslacrypt"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/games-changing-new-version-of-teslacrypt-mimics-a-big-brother\/15082\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/games-changing-new-version-of-teslacrypt-mimics-a-big-brother\/15082\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/games-changing-new-version-of-teslacrypt-mimics-a-big-brother\/15082\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cryptowall\/","name":"Cryptowall"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15082","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15082"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15082\/revisions"}],"predecessor-version":[{"id":30446,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15082\/revisions\/30446"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15626"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15082"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15082"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15082"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}