When TeslaCrypt first arrived on the ransomware scene about a year ago, it seemed like a CryptoLocker copycat with a few new tricks, such as renaming existing files, deleting browser history to hide the source of the infection, and a peculiar appetite for Twitch streamers and multimedia creators. The authors of this malware strain are adapting quickly, proving themselves to be more than just another copycat and recently launching the fourth version of the malicious software, one even more damaging than the original.
What’s new in TeslaCrypt 4.0
The most alarming development in the new iteration of TeslaCrypt is its reported use of RSA 4096 encryption, which is impossible to crack with current technology. Previously, several companies reverse engineered tools that could help businesses and other people hit by TeslaCrypt decrypt files without paying the ransom. Unfortunately, that approach is no longer effective with the latest version of the ransomware.
One of the reasons for that is how the private key is now being stored. Older versions of TeslaCrypt kept the private key needed to unlock files right on the user’s computer. TeslaCrypt 4.0 now deletes the local copy of the private key after sending it to the cybercriminal’s server, making it impossible to retrieve without paying the ransom. This is similar to other Locker-type malware strains and brings them up to parity in the field.
The new version of the ransomware strain also fixed a bug that would corrupt files larger than 4GB when the malware encrypted it.
Lastly, TeslaCrypt doesn’t add an extension to encrypted files anymore, which makes it difficult for users (or their IT service provider) to find information about the ransomware and what it’s done to their files. In previous versions, this extension served as an identifier for what was encrypted.
Why backup still matters
With the new developments in the latest version of TeslaCrypt, doing a full restore of the system from a secure backup is the only way to safely get access to files after an infection without paying the ransom. As an MSP, you can help customers minimize the impact of a ransomware infection like TeslaCrypt by making sure they maintain regular backups to make that kind of restore possible. If one of your SMB customers doesn’t have a recent system backup to restore to, they will have no choice but to pay the ransom.
It’s more important than ever to make sure those backups are secure and separate from the network, though. The FBI recently warned of ransomware attempting to encrypt entire networks by trying to manually delete backups that could be used to recover the encrypted data without paying the ransom.
To help protect your SMB customers from TeslaCrypt and other ransomware strains, MSPs need to stress the importance of both security and backup and educate customers about the ransomware threat and how to protect their business from it.