Pierluigi Paganini July 16, 2015

Researchers at Kaspersky Lab have discovered a new strain of TeslaCrypt ransomware, version 2.0,  which was improved in a significant way.

Malware researchers at Kaspersky detected a new strain of the TeslaCrypt ransomware (Trojan-Ransom.Win32.Bitman.tk), so-called TeslaCrypt 2.0, which includes a number of improvements. This ransomware also encrypts video game files, but the most significant improvement is related to the encryption scheme that overwhelm the limits of the scheme implemented in the previous versions.

The latest version implements a new encryption scheme that makes it impossible to recover files encrypted by ransomware.

“Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.” states the report published by Kaspersky Lab.

The experts discovered several strains of TeslaCrypt 2.0 over the last months, the first one comes with the same interface of the CryptoWall 3.0 ransomware, recent versions are using a totally new ransom screen.

The TeslaCrypt 2.0 encryption scheme is based on the ECDH algorithm, it involves master keys generated for each infected PC, each time the malware is executed on the victim’s PC session keys are generated.

“Keys are generated using the ECDH algorithm,” states the blog post. “The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone.”

The authors of TeslaCrypt 2.0 have removed the file decryption feature found in previous versions, used by security experts to recover the encrypted files.

Below the list of features implemented by TeslaCrypt 2.0:

• The Trojan independently generates a new, unique Bitcoin address and a private key for it. The address is used both as a victim ID and to receive payments from the victim.
• The AES-256-CBC algorithm is used to encrypt files; all files are encrypted with the same key.
• Files larger than 0x10000000 bytes (~268 MB) are not encrypted.
• C&C servers are located on the Tor network; the malware communicates with the C&Cs via public tor2web services.
• Files encrypted by the malware include many extensions matching files used in computer games.
• The Trojan deletes shadow copies.
• In spite of the scary stories about RSA-2048 shown to victims, this encryption algorithm is not used by the malware in any form.
• The Trojan was written in C++, built using Microsoft’s compiler, with cryptographic algorithm implementation taken from the OpenSSL library.

The ransomware implements a sophisticated detection evasion technique based on using COM objects, that was noticed for the first time with version 0.4.0 of the malware.

TeslaCrypt mainly hit computers in the US, Germany, Spain and other countries, criminals distributed it through popular exploit kits such as Angler, Sweet Orange and Nuclear EK.

Pierluigi Paganini

(Security Affairs – TeslaCrypt, ransomware)