Be aware the unbreakable TeslaCrypt 4 was detected in the wild

According to the experts at Heimdal Security firm, the ransomware Teslacrypt 4 arrived and it is infecting systems in the wild.

According to the experts at Heimdal Security, the fourth version of the infamous Teslacrypt ransomware has just been launched. Teslacrypt 4 implements new functionalities and is more stable of previous versions, stability, it also fixed various bugs, including one related to encryption of large data files. In the previous variants, files larger than 4 GB would get permanently damaged when the ransomware tried to encrypt them.

Teslacrypt 4 used RSA 4096 for data encryption, this makes impossible to recover data encrypted by the ransomware.

“Consequently, the encrypted data will be impossible to recover, which can determine information loss if the victim doesn’t have a backup for the affected data.” states a report published by Heimdal Security.

The bad news for the victims is that the TeslaDecoder tool used to rescue the files encrypted by the previous variants of the ransomware no longer works with Teslacrypt 4.0.

Victims of the Teslacryt 4 ransomware have no possibility to recover information, they can only restore files from a previous backup or pay the ransom with no guarantee of success.

Researchers spotted TeslaCrypt 4 in the wild, crooks used drive-by attacks to spread the ransomware leveraging on the Angler exloit kit.

The researchers already blocked more than 600 domains hosting the Angler EK in just one day. It has been estimated that daily average of domain spreading Angler EK blocked by the security firsm will reach soon 1200 domains per day, on average.

Teslacrypt 4 could be also used by attackers to harvest user’s data, including the “MachineGuid”, “DigitalProductID” and “SystemBiosDate” .

Experts at Heimdal Security have published the following Indicators of Compromise for the Teslacrypt 4.0:

%UserProfile%\Desktop\RECOVER[%5 random signs%].html
%UserProfile%\Desktop\RECOVER[%5 random signs %].png
%UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt

TeslaCrypt 4 also creates the following value in the registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe

The current list of Teslacrypt 4 Control & Command servers is the folowing:

http://commonsenseprotection[.]com/phsys.php
http://ebookstoreforyou[.]com/phsys.php
http://esbook[.]com/phsys.php
http://exaltation[.]info/plugins/phsys.php
http://hmgame[.]net/phsys.php
http://shampooherbal[.]com/phsys.php

This new variant of TeslaCrypt demosntrates the rapid evolution of the threat that first appeared in March 2015, meanwhile the version 2.o appeared in the wild in July 2015 and the TeslaCrypt 3.0 in January 2016.

Pierluigi Paganini

(Security Affairs – TeslaCrypt , ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.