Pierluigi Paganini March 15, 2015

TeslaCrypt is a new strain of ransomware, spotted in the wild by experts at Emsisoft, which is also targeting users of principal gaming platforms.

A new strain of ransomware dubber TeslaCrypt was spotted in the wild by the researchers at the security firm Emsisoft. TeslaCrypt was discovered at the end of February, researchers at Bromium that analyzed the malicious code have discovered that it was distributed through a compromised WordPress website set up to redirect visitors to a page hosting the Angler exploit kit.

The landing page was designed to check for the presence of virtualized environment or antivirus software, if the checks don’t reveal them the exploit drops the TeslaCrypt ransomware by exploiting a Flash Player vulnerability (CVE-2015-0311) patched by Adobe in January or an old Internet Explorer vulnerability.

The TeslaCrypt works like any other ransomware by encrypting victim’s files, including photos, videos and documents. The peculiarity TeslaCrypt is that it also searches for files associated with popular video games (i.e. Call of Duty, Diablo, Fallout, Minecraft, Warcraft, F.E.A.R, Assassin’s Creed, Resident Evil, World of Warcraft, League of Legends, and World of Tanks) and encrypt them. The authors of TeslaCrypt have focused their efforts in targeting gaming platform, the ransomware encrypts profile data, saved games, mods, maps, and also the files associated with Steam and game development software (i.e. Unity3D, Unreal Engine, and RPG Maker).

“Gamers may be used to paying to unlock downloadable content in their favorite games, but a new crypto-ransomware variant aims to make gamers pay to unlock what they already own. Data files for more than 20 games can be affected by the threat, increasing what is already a large target for cybercriminals. Another file type that hasn’t been targeted before is iTunes related. But first, let’s have a look at the initial infection.” reads a blog post published by Bromium.

The researchers discovered that the TeslaCrypt ransomware targets a total of 185 file extensions, a number of extensions less than TorrentLocker, but experts highlighted that it targets ‘more file types associated with video games than we have ever seen.‘

“Encrypting all these games demonstrates the evolution of crypto-ransomware as cybercriminal target new niches. Many young adults may not have any crucial documents or source code on their machine (even photographs are usually stored at Tumblr or Facebook), but surely most of them have a Steam account with a few games and an iTunes account full of music,” continues the post.

The payment procedure is operated through a hidden service in the TOR network, victims told to pay 1.5 Bitcoin (more than $400) or $1,000 through PayPal My Cash Card in order to decrypt their files.

Gaming platforms are a privileged target for cyber criminals, in the past many other criminal crews targeted gamers, the last threat in order of time was a campaign designed to phish the Steam credentials of Counter-Strike.

Pierluigi Paganini

(Security Affairs –  TeslaCrypt , gaming industry)