TeslaCrypt

Last updated
TeslaCrypt
Technical name
Classification Trojan horse
Type Ransomware
Subtype Cryptovirus
Operating system(s) affected Windows

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

In its early forms, TeslaCrypt targeted game-play data for specific computer games. [3] [4] [5] [6] Newer variants of the malware also affect other file types.

In its original, game-player campaign, upon infection the malware searched for 185 file extensions related to 40 different games, which include the Call of Duty series, World of Warcraft , Minecraft and World of Tanks , and encrypted such files. The files targeted involve the save data, player profiles, custom maps and game mods stored on the victim's hard drives. Newer variants of TeslaCrypt were not focused on computer games alone but also encrypted Word, PDF, JPEG and other files. In all cases, the victim would then be prompted to pay a ransom of $500 worth of bitcoins in order to obtain the key to decrypt the files. [4] [7]

Although resembling CryptoLocker in form and function, Teslacrypt shares no code with CryptoLocker and was developed independently. The malware infected computers via the Angler Adobe Flash exploit. [4] [8]

Even though the ransomware claimed TeslaCrypt used asymmetric encryption, researchers from Cisco's Talos Group found that symmetric encryption was used and developed a decryption tool for it. [9] This "deficiency" was changed in version 2.0, rendering it impossible to decrypt files affected by TeslaCrypt-2.0. [10]

By November 2015, security researchers from Kaspersky had been quietly circulating that there was a new weakness in version 2.0, but carefully keeping that knowledge away from the malware developer so that they could not fix the flaw. [11] As of January 2016, a new version 3.0 was discovered that had fixed the flaw. [12]

A full behavior report, which shows BehaviorGraphs and ExecutionGraphs was published by JoeSecurity. [13]

Shut down

In May 2016, the developers of TeslaCrypt shut down the ransomware and released the master decryption key, thus bringing an end to the ransomware. [14] After a few days, ESET released a public tool to decrypt affected computers at no charge. [15]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of cryptovirological malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Cryptovirology refers to the use of cryptography to devise particularly powerful malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

<span class="mw-page-title-main">Wiper (malware)</span> Malware designed to erase files on the host computer

In computer security, a wiper is a class of malware intended to erase the hard drive or other static memory of the computer it infects, maliciously deleting data and programs.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

<span class="mw-page-title-main">KeRanger</span>

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

CryptMix is a type of ransomware which claims that ransom fees will be donated to a children’s charity. The CryptMix threat combines large portions of other open source ransomware code: CryptoWall 3.0, CryptoWall 4.0 and CryptXXX. CryptMix was created by a group calling themselves “The Charity Team.”

TorrentLocker is a ransomware trojan targeting Microsoft Windows. It was first observed in February 2014, with at least five of its major releases made available by December 2014. The malware encrypts the victim's files in a similar manner to CryptoLocker by implementing symmetric block cipher AES where the key is encrypted with an asymmetric cipher.

<span class="mw-page-title-main">Locky</span>

Locky is ransomware malware released in 2016. It is delivered by email with an attached Microsoft Word document that contains malicious macros. When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

<span class="mw-page-title-main">Jigsaw (ransomware)</span> Encrypting ransomware created in 2016

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer", but later came to be known as "Jigsaw" due to featuring an image of Billy the Puppet from the Saw film franchise. The malware encrypts computer files and gradually deletes them, demanding payment of a ransom to decrypt the files and halt the deletion.

<span class="mw-page-title-main">Kirk Ransomware</span> Ransomware malware, discovered in 2017

Kirk Ransomware, or Kirk, is malware. It encrypts files on an infected computer and demands payment for decryption in the cryptocurrency Monero. The ransomware was first discovered in 2017, by Avast researcher Jakub Kroustek.

<span class="mw-page-title-main">Rensenware</span> Joke ransomware

Rensenware is ransomware that infects Windows computers. It was created as a joke by Kangjun Heo and first appeared in 2017. Rensenware is unusual as an example of ransomware in that it does not request the user pay the creator of the virus to decrypt their files, instead requiring the user to achieve a required number of points in the bullet hell game Touhou Seirensen ~ Undefined Fantastic Object before any decryption can take place. The main window displays Minamitsu Murasa, a character from the game. Heo released a patch that neutralizes Rensenware after accidentally infecting himself with it.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. "Trojan.TeslaCrypt Description | F-Secure Labs". www.f-secure.com.
  2. "RANSOM_CRYPTESLA - Threat Encyclopedia - Trend Micro USA". www.trendmicro.com.
  3. Abrams, Lawrence (27 February 2015). "New TeslaCrypt Ransomware sets its scope on video gamers". BleepingComputer.
  4. 1 2 3 "Gamers targeted by ransomware virus". BBC News. 13 March 2015. Retrieved 14 March 2015.
  5. Sean Gallagher (Mar 12, 2015). "CryptoLocker look-alike searches for and encrypts PC game files". Ars Technica. Retrieved 14 March 2015.
  6. "New CryptoLocker ransomware targets gamers". ZDNet. March 13, 2015. Retrieved 14 March 2015.
  7. "TeslaCrypt Ransomware Encrypts Video Game Files". Security Week. March 13, 2015. Archived from the original on 14 March 2015. Retrieved 14 March 2015.
  8. "Achievement Locked: New Crypto-Ransomware Pwns Video Gamers". Bromium Labs. March 12, 2015. Retrieved 14 March 2015.
  9. "Decryption tool available for TeslaCrypt ransomware that targets games". PC World. 2015. Retrieved 17 May 2015.
  10. Sinitsin, Fedor (14 July 2015). "TeslaCrypt 2.0 disguised as CryptoWall". securelist. AO Kaspersky Lab. Retrieved 5 November 2015.
  11. Abrams, Lawrence. "TeslaCrypt Decrypted: Flaw in TeslaCrypt allows Victim's to Recover their Files". BleepingComputer. 2015 Bleeping Computer LLC. Retrieved 21 January 2016.
  12. Abrams, Lawrence. "TeslaCrypt 3.0 Released with Modified Algorithm and .XXX, .TTT, and .MICRO File Extensions". BleepingComputer. 2015 Bleeping Computer LLC. Retrieved 21 January 2016.
  13. "BehaviorReport Ransomware Teslacrypt". securelist. Joe Security. Retrieved 29 Dec 2015.
  14. "TeslaCrypt shuts down and Releases Master Decryption Key". BleepingComputer. Retrieved 2016-05-19.
  15. "Criminals give away universal unlock key for TeslaCrypt-ransomware". Guru3D.com. Guru3D.com. Retrieved 2018-04-01.{{cite web}}: CS1 maint: others (link)


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.