TeslaCrypt 4.0: Knowing Your Enemy, Knowing Yourself

TeslaCrypt 4.0: Knowing Your Enemy, Knowing Yourself

Ransomware is raging. It is extremely efficient as the victims often face an uneasy choice between paying money to the cyber criminals and losing their data forever. On the other hand, there is a strong resistance to the scam. As a particular strain of infection gains excessive notoriety, it is sooner or later covered with appropriate security response.

The evolution only occurs as long as the environment poses challenges to overcome. For ransomware like TeslaCrypt the force that makes it evolve is the growing ability of IT security to handle its attacks. This article considers the fourth edition of the virus. The new release may seem to undergo quite a few changes. However, the amendments enable the ransoming virus to efficiently conceal its identity. According to the contributors to the Bleepingcomputer community, a victim to realize the version number is rather supposed to google a long string of the ransom note produced by the rogue.

“So it is said that if you know your enemies and know yourself, you will not be put at risk even if you Sun Tzu, ancient Chinese military strategist.

The type of ransomware considered herewith is worth clarifying. The cyber world offers plenty of options for ransoming. The simplest blackmailing just fakes a demand from a common knowledge authority. That would be a fake ransoming. Nothing has actually been hacked. The victims simply need to ignore the scary message and remove the virus behind it.

That is, one is supposed to know the enemy. If the enemy is just faking, all you need to do is to ignore the threat. The least thing to do is to obey the hacker. Unfortunately, TeslaCrypt 4.0, just like any versions of the same virus, is a true ransomware. It hacks something for ransom. To be more specific, the above rogue targets data stored on a computer system. It encrypts nearly every file expecting the holder of the data to pay for the decryption.

The amount is to be paid in Bitcoin currency and via TOR browser. Both of these contribute to the anonymity of the scammers. That is bad, as the enemy, the hackers behind the malware, remain unknown to its victims.

Even we fail to know the guys behind TeslaCrypt 4.0, it is good to identify the infection itself. Here is the trick. Preceding releases of TeslaCrypt ransomware are known to change the extension of affected files. That attracts user’s attention and induces search campaigns for the information related to the newly-appended part of file-names. IT security understands the way the victims are supposed to call for help.

So they come up with analytics and remedies matching the likely keywords entered by the users, which are, apparently, the new extensions of the files affected. With the fourth edition, no extra extension is added. The victims may encounter difficulties realizing they deal with TeslaCrypt ransomware family, let alone its version. Access to relevant IT advice gets complicated.

Other traits inherent exclusively in the fourth edition are rather technical. They feature the new ransom note name, ability to encode data items bigger than 4 GB. The version number has been found in the encrypted message that the ransomware communicated to its remote server. The message was decrypted and contained a reference to the version 4.0.

Propagation of the virus remains true to its family habits. The rogue is available at dark-net forums. Entering such a community takes some effort. However, nearly anyone can register and obtain a copy of the ransomware. That multiplies the number of your foes. Meanwhile, the principal adversary is likely to abstain from directly delivering the virus to its final destination. That further exacerbates the detention of TeslaCrypt 4.0 developers.

Despite a variety of the actors spreading the encrypting plague, some propagation patterns have been recognized. The prevailing infection vector is the mass-mailing. That addresses the other part of the great Chinese dictums: ‘Know yourself.’ Preventing spam seems to be quite easy. They say, just do not open anything from the sources you are not confident about. Scan any incoming email.

First of all, the malware poses a significant risk to small businesses. Even quite small enterprise often has a corporate network of a dozen of computers. On the other hand, a small company usually does not have a person responsible for corporate IT security.

As a result, one of the users is likely to abandon even the basic security consideration. That is often due to the fact that some people have actually very poor computer literacy. Another pitfall is the spam sent from your verified contacts. The stakes are high as the lowest amount claimed by the ransomware may start from 1 bitcoin, which is approximately USD 400. The hackers purchase cracked email accounts and use their address books to distribute the virus. The receiver considers the email safe and free from any infection.

Knowing your enemy in case of TeslaCrypt 4.0 ransomware victim enables access to the best practise of ransomware recovery and removal. Knowing yourself is equally important. The above considerations clearly show how one can reduce the risk of invasion by knowing and handling basic computer mistakes inherent in human nature.

About the Author:

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.