Another day. Another Ransomware.

TeslaCrypt is a ransomware trojan that targets computers with user data and specific computer games installed. Once the system is infected, the malware searches for various file types related to personal documents and different games, including Call of Duty series,World of Warcraft, Minecraft and World of Tanks, and then encrypts them.  The victim is then prompted with a ransom in bitcoins in order to obtain the key to decrypt the files. Below you’ll find additional details on the malware.

Kill Chain Perspective:

1.  Weaponisation: A compromised website that runs Angler exploit kit (browser-based exploit kit). Some samples were seen with other exploit kits like Sweet Orange and Nuclear.

2.  Delivery Mechanism: Email attachment or through websites that redirect the victim to the Angler Exploit Kit.

3.  Exploitation: The Angler exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt. AEK is know to have other exploits, such as CVE 2013-2551(IE),CVE-2013-0074(Silverlight), CVE-2013-2465(JRE),CVE-2014-0515(Adobe ShockWave Flash Player)

4.  Installation: TeslaCrypt encrypts the data files such as photos, videos and documents as well as games on the victim’s computer.

5.  Command & Control: The malware connects to multiple domains in North America. Other domains also worldwide.

6.  Action on Objectives: Demands ransom. The user is displayed the following warning.

01

All the files in the system are encrypted and a custom extension is added to file.

03

What can I do to prevent the Corporate users from such threats?

RSA ECAT can easily detect ransomware and help you take action since it has agents installed on endpoints(corporate lan/roaming) that monitor key system behavior. This data is continuously sent to the server. All the analysis happens on the sever. The Instant IOC feature that looks for malicious behavior which is typically indicative of malware. This leads to generation of a score specific to the end point. Ransomware infection bumps the machine score dramatically as shown below.

.ECAT Score

ECAT also lists the malicious behaviour that was detected.

07

A quick analysis of the suspicious module shows the actual filename of the malicious payload(vcwipe.exe)

09

The ECAT Tracking feature clearly shows how this module is reading all the documents in the system to start the encryption process.

Tracking

RSA ECAT to Rescue:

RSA ECAT’s  blocking feature can be used to prevent mass spread. The blocking feature:

• Blocks known bad files from being written to disk: In the case where we know that a file has alreadybeen blacklisted in ECAT, we’re blocking the file from being written to disk by returning an error code to the application trying to write it.

• Blocks known bad files from being loaded in memory: If files were written to disk while ECAT wasn’t watching (before ECAT installation, offline copy), it’ll block the file from being loaded in memory. Once a file is blocked, a remediation option (specified by the analyst) will be applied. On the initial version, the following is allowed:

ECAT admins can then quickly blacklist this module and enable blocking:

10

More TeslaCrypt Sources:

https://en.wikipedia.org/wiki/TeslaCrypt

https://blog.kaspersky.com/teslacrypt-20-ransomware/9314/

No Comments