TeslaCrypt: A New Version of Ransomware
By now, you’ve all heard of ransomware viruses which encrypt your data, and demand a ransom paid in BitCoin in order to decrypt. This week, we’ve seen our first iteration of this new virus, and TeslaCrypt is particularly nasty. Through newly developed “exploit kits”, TeslaCrypt has the ability to seek out the best method for infection, and use it to install itself.
1. Method of Infection
The vector of infection for TeslaCrypt and other newer versions of Ransomware is particularly worrisome. At this time, all you need to do is visit a URL link which can come not only from Email, but from Facebook, a compromised ad on a trusted website as what happened last year on Yahoo, Match and Aol. These viruses are beginning to permeate into once trusted methods of web browsing behavior, and one must be highly vigilant in all areas of the web.
While Adobe Flash has been a large culprit in infections of ransomware such as CryptoWall, TeslaCrypt steps up their game. Virus manufacturers have created an exploit kit which contains javascript code, scanning your environment and determining the optimal method of attack based on your OS, what browser you are using, what plug-ins you have installed, etc. This means that if any one item has a security hole, the exploit kits will find it – and antivirus alone may not be strong enough to thwart the attack.
You can see more about these exploit kits on this YouTube video.
2. Encryption Method
The iteration of TeslaCrypt was disguised as CryptoWall – even stealing the HTML encryption notice. On the surface, this looks like a CryptoWall infection, but the standard methods for removal of CryptoWall do not apply.
TeslaCrypt can be identified, however, by the file-extensions that are changed when an infection takes place. We see image files with the suffix replaced to .ecc, but also can be .ezz, .exx, or others. This infection encrypts anything on attached drives, including attached backup drives, and all network shares! This means, even if your drives aren’t mapped, if you have a shared location on your server it is susceptible to the virus.
3. Restoring Your System
Along with some information about the virus, this link contains a tool that sometimes works in decrypting TeslaCrypt encrypted files. This tool is highly hit-or-miss, and the best method for restoration is from a backup – specifically, a backup that was not attached to the PC or Server during the infection period.
4. Protecting Yourself
With the exploit kits described above, you really must look at all of your software – browsers, plug-ins, PDF readers, Adobe Flash, Java, etc. Everything must be updated continuously if it is to succeed against these kits. Automating your updates is the best way to ensure protection, or minimizing the presence of these softwares on your business PCs. Uninstall Flash and Java if you can. Remove your browsers from operatory PCs if they are not needed. Most importantly, do not browse aimlessly on your business PCs.
Keep a good backup. Since backup drives are affected, using a “swap” method on your drives will be the safest. Additionally, a cloud backup is great at keeping incremental versions so that you can restore to a non-encrypted version of each of your files.
For more information about TeslaCrypt, or to discuss your security concerns, contact dmi Networking.