As the saying goes, what’s old is new again, but sometimes what’s new can still be new again. Enigmatic? Perhaps, but two programs in the ransomware category are doing their best to prove this. An old friend that I’ve written about several times now, CryptoWall, is pioneering a new infection vector, while a fresh challenger, TeslaCrypt, is seeking to carve out a new target niche that has been underexploited. Let’s see why security experts are concerned about these two infectious agents.
Infected CHM files
The latest versions of CryptoWall, known as CryptoWall 3.0, have recently started using a new infection vector, one with some very old roots. Through the use of an infected CHM file, the ransomware files are able to self-run and introduce their payload onto the system. Let’s look at why that works.
In 1997, Microsoft released its successor to the old WinHelp file format used in the venerable Windows 3.x system. Known as Compiled HTML Help, or CHM, it consisted of a collection of HTML files rather than the Rich Text Format favored by its predecessor.
CryptoWall exploits Internet Explorer vulnerability
Well, as with all things HTML, it would eventually become ripe for exploitation. Microsoft patched some security holes in 2004 and 2005, but because the problems with CHM files were so innate to the format and a direct result of how interactive they were designed to be, Microsoft would officially abandon it with the release of Windows Vista.
What Microsoft did not do, however, was remove the reader functionality for these files from Internet Explorer, which is where CryptoWall comes in.
As with other vectors, a victim of the scam will receive an email with a zipped attachment. Inside the ZIP file is a compromised CHM file that, when clicked, opens Internet Explorer and executes the payload contained within it.
CryptoWall then follows the usual pattern of encrypting all the data it can get its code on before displaying the ransom window. The attack takes advantage of Internet Explorer’s default ability to autorun scripts contained in CHM files, leading to a potentially disastrous result.
TeslaCrypt targets gamers
TeslaCrypt takes a different approach, introducing some new tricks not seen in older CryptoLocker copycats. While other locker-type malware executables have been trying to hit everything they can, Tesla only infects certain file types, similar to the proverbial patriarch in this malware family. (It even tries to claim that it is CryptoLocker.)
What’s new, though, is that TeslaCrypt is the first ransomware to explicitly go after game saves, such as those for popular franchises like Call of Duty, Diablo, Minecraft, and more.
A few new tactics
Additionally, TeslaCrypt will actively rename existing files instead of just attacking the stored data. Affected files are renamed with the .ecc extension, which could cause issues with applications attempting to access the expected source files.
The malware also deletes the browser history for all installed browsers in order to hide the source of infection. Theoretically, packet sniffing logs could be used to identify the source, but that could be a longshot.
Otherwise, the usual other ransomware patterns are followed: shadow copies are deleted, TOR links are provided for payment, etc. Payment is 1.5BTC, or approximately $375. Attempting to circumvent or modify the system (e.g. cleaning via antivirus) will result in a total loss of data because the system has a “dead-man’s-switch” feature. The time limit of five days also does not extend. Once time is up, it’s over.
TeslaCrypt’s weaknesses and bugs
There are a couple of identified issues with TeslaCrypt, however, that distinguish it from its arguably better-constructed predecessors. Encryption and decryption times vary greatly from the norms established by these two ransomware. The encryption is slower than normal and not ordered in its run.
Theoretically, this means that it can potentially be stopped mid-stream. Decryption is also much faster than the norm, causing some researchers to believe that the malware is not using the 2048-bit RSA standard seen in older ransomware.
Additionally, a bug has been reported for the malware’s decryption tool. Should you decide to pay the ransom, files can only be decrypted if they are stored on the machine’s primary drive (usually the C: drive, but it would depend on your setup). To help with this, the malware authors have provided a chat tool so you can connect with them to receive assistance in case you have problems.
The Future of Ransomware
TeslaCrypt, CryptoWall 3.0, and others are showing us that the ransomware craze doesn’t seem to be slowing down anytime soon. As always, watch this space for more on ransomware as new details and variants emerge. Thanks again to Todd G. over at Compass Network Group for the heads-up on these new vulnerabilities.
Paul Hanley is a partner support engineer at Intronis.