TeslaCrypt and CryptoWall bring new approaches to ransomware

Posted by Paul Hanley on Mar 30, 2015 2:00:00 PM

RansomwareAs the saying goes, what’s old is new again, but sometimes what’s new can still be new again.  Enigmatic?  Perhaps, but two programs in the ransomware category are doing their best to prove this.  An old friend that I’ve written about several times now, CryptoWall, is pioneering a new infection vector, while a fresh challenger, TeslaCrypt, is seeking to carve out a new target niche that has been underexploited.  Let’s see why security experts are concerned about these two infectious agents.

Infected CHM files

The latest versions of CryptoWall, known as CryptoWall 3.0, have recently started using a new infection vector, one with some very old roots.  Through the use of an infected CHM file, the ransomware files are able to self-run and introduce their payload onto the system. Let’s look at why that works.

In 1997, Microsoft released its successor to the old WinHelp file format used in the venerable Windows 3.x system.  Known as Compiled HTML Help, or CHM, it consisted of a collection of HTML files rather than the Rich Text Format favored by its predecessor. 

The transition to HTML allowed a number of new functions, such as a built-in search engine, innate compression, Javascript compatibility, and more.  This file type would eventually become a key component of Windows, all the way up until Windows XP.

CryptoWall exploits Internet Explorer vulnerability

Well, as with all things HTML, it would eventually become ripe for exploitation.  Microsoft patched some security holes in 2004 and 2005, but because the problems with CHM files were so innate to the format and a direct result of how interactive they were designed to be, Microsoft would officially abandon it with the release of Windows Vista. 

What Microsoft did not do, however, was remove the reader functionality for these files from Internet Explorer, which is where CryptoWall comes in.

As with other vectors, a victim of the scam will receive an email with a zipped attachment. Inside the ZIP file is a compromised CHM file that, when clicked, opens Internet Explorer and executes the payload contained within it.

CryptoWall then follows the usual pattern of encrypting all the data it can get its code on before displaying the ransom window. The attack takes advantage of Internet Explorer’s default ability to autorun scripts contained in CHM files, leading to a potentially disastrous result.

TeslaCrypt targets gamers

TeslaCrypt takes a different approach, introducing some new tricks not seen in older CryptoLocker copycats. Tweet: TeslaCrypt takes a different approach, introducing some new tricks not seen in older CryptoLocker copycats. http://bit.ly/1l6zeVD While other locker-type malware executables have been trying to hit everything they can, Tesla only infects certain file types, similar to the proverbial patriarch in this malware family. (It even tries to claim that it is CryptoLocker.)

What’s new, though, is that TeslaCrypt is the first ransomware to explicitly go after game saves, such as those for popular franchises like Call of Duty, Diablo, Minecraft, and more.

A few new tactics

Additionally, TeslaCrypt will actively rename existing files instead of just attacking the stored data. Affected files are renamed with the .ecc extension, which could cause issues with applications attempting to access the expected source files.

The malware also deletes the browser history for all installed browsers in order to hide the source of infection. Theoretically, packet sniffing logs could be used to identify the source, but that could be a longshot.

Otherwise, the usual other ransomware patterns are followed: shadow copies are deleted, TOR links are provided for payment, etc. Payment is 1.5BTC, or approximately $375. Attempting to circumvent or modify the system (e.g. cleaning via antivirus) will result in a total loss of data because the system has a “dead-man’s-switch” feature. The time limit of five days also does not extend. Once time is up, it’s over.

TeslaCrypt’s weaknesses and bugs

There are a couple of identified issues with TeslaCrypt, however, that distinguish it from its arguably better-constructed predecessors. Encryption and decryption times vary greatly from the norms established by these two ransomware. The encryption is slower than normal and not ordered in its run. 

Theoretically, this means that it can potentially be stopped mid-stream. Decryption is also much faster than the norm, causing some researchers to believe that the malware is not using the 2048-bit RSA standard seen in older ransomware.

Additionally, a bug has been reported for the malware’s decryption tool. Should you decide to pay the ransom, files can only be decrypted if they are stored on the machine’s primary drive (usually the C: drive, but it would depend on your setup).  To help with this, the malware authors have provided a chat tool so you can connect with them to receive assistance in case you have problems.

The Future of Ransomware

TeslaCrypt, CryptoWall 3.0, and others are showing us that the ransomware craze doesn’t seem to be slowing down anytime soon.  As always, watch this space for more on ransomware as new details and variants emerge.  Thanks again to Todd G. over at Compass Network Group for the heads-up on these new vulnerabilities.

Paul Hanley is a partner support engineer at Intronis.

Download our guide to CryptoLocker

Photo Credit: Lee Davy via Flickr.com. Used under CC 2.0 License


Topics: Malware, Cyber Security

Which Data Loss Gremlin Is Targeting You
Intronis Local Lunches
MSP Phishing Quiz
Intronis Local Lunches
MSP Marketing Assessment