TeslaCrypt is a file-encrypting ransomware program which specifically targets all the versions of Windows operating system. Released during February 2015, this ransomware scans your system for all the data files and encrypts them so that you can no longer access them. Once the files have been successfully encrypted, a message is displayed on the screen with all the necessary instructions on gaining access to your files upon paying a ransom.
The instructions lead the victim to a service site related to decryption where the user needs to pay a ransom amount for getting the files decrypted. The ransom amount can be paid with Bitcoins and starts at around 500 US dollars. Initially, this ransom Trojan targeted users of particular games that have been installed on computers. The newer versions also infect devices that don’t have games installed on the system.
TeslaCrypt Targets gamers
A different approach has been adopted by TeslaCrypt as it specifically targeted popular games. This is the first ransomware to do so. The first version of TeslaCrypt looked for file extensions pertaining to trending games which includes World of Warcraft, the Call of Duty, Minecraft, World of Warcraft and encrypted the files. The files include player profiles, saved data, game mods and custom maps that have been saved on the hard drive of the victim’s computer. The newer variants don’t just focus on computer games, but also encrypt .jpeg, .pdf and .doc files.
TeslaCrypt renames the existing files. This creates issues when trying to access the source file as the ransomware renames the files to .ecc extension. There may be other three-letter extensions, for example .ccc. The browser history is deleted automatically from all the browsers that have been installed to prevent the detection of infection source.
Bugs and weaknesses associated with TeslaCrypt Version 1.0
Few issues had been identified with the first version of TeslaCrypt. There existed a variation in the encryption. The encryption process was quite sluggish. This implied that there existed a potential to stop the process mid-stream. The decryption took place at a faster pace which made a lot of researchers believe that 2048-bit RSA standard was not being utilized by this malware.
The native malware decryption tool also had a bug also. The files could be decrypted only if they had been saved on the primary drive on a system. The creators then developed a chat tool to fix the issue and connect to their victims to offer assistance when they had issues during the decryption process.
The newer variants of this ransomware have proven that this trend isn’t going to slow down in the near future. With each passing day, new variants of ransomware keep emerging. All the previous flaws were fixed. This is quite challenging for the security researchers.
For instance, the ransomware claimed that asymmetric encryption was used in TeslaCrypt while the researchers at Cisco were successful in figuring out that the encryption tool was symmetric. Cisco even developed a decryption tool. However, the issue was fixed in the 2.0 version released by TeslaCrypt creators.
Kaspersky researchers, during November 2015, claimed that they detected a flaw in version 2.0 of TeslaCrypt without making the flaw public. The developers of the malware sensed the issue and fixed the flaw immediately by releasing the version 3.0 in January 2016. This version made use of an exchange algorithm as a different encryption key. The files that had been encrypted are appended with .xxx, .micro and .ttt extensions.
The major issue lies in the modifications that have been made. The previous versions made it possible to make a recovery of the encrypted file. Now it is no longer possible for the victims to do so with the modification introduced in version 3.0.
The version 4.0 was released on 14th of March 2016. This is still being analyzed for the changes that have been incorporated by the malware developers. Bugs pertaining to corrupt files that are greater than 4GB have been fixed with this version of TeslaCrypt. This also features new names for the ransom note and it does not make use new three-letter extensions for the files that have been encrypted.
When encryption of data is carried out by TeslaCrypt, it connects to one of its Command and Control servers. It then sends a post message pertaining to encryption of the data files. The absence of extension makes it quite complicated for the victim to figure out what did the ransomware do to their files. As of now, the victim needs to look for strings from notes with the extensions getting discarded.
Decryption impossible in the recent version of TeslaCrypt ransomware
With software developers trying to patch up the holes in the security, the same strategy is being employed by developers creating malware. This has resulted in TeslaCrypt becoming more robust to crack. This malware has progressed at a rapid pace and has extended its reach. All the flaws of the previous versions have been fixed in the latest version of TeslaCrypt leaving the victims with no option but to pay the ransom in order to get their files back.
Cisco’s Talos research group has figured out that the latest version of TeslaCrypt has enhanced the cryptographic algorithm implementation thus making it impossible to decrypt files. The security researchers at Cisco posted a blog stating that this ransomware has become a plague of the Internet. It is being improved and modified with every version released.
There were flaws in the previous versions which let the researchers come up with tools such as TeslaDecoder, Tesladecrypt and TeslaCrack to help people decrypt their files without having to pay the ransom. Now, the weaknesses have been cleared. Currently, there is no tool which can help the victim.