Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

TeslaCrypt 2.0 Ransomware Comes With Improved Encryption Mechanism

Researchers at Kaspersky Lab have uncovered version 2.0 of TeslaCrypt, a file-encrypting ransomware first spotted in February 2015.

Researchers at Kaspersky Lab have uncovered version 2.0 of TeslaCrypt, a file-encrypting ransomware first spotted in February 2015.

TeslaCrypt made numerous headlines earlier this year because in addition to the file types targeted by most ransomware, this piece of malware also encrypts video game files. However, the encryption scheme used in some of the earlier versions was not too efficient and researchers managed to develop tools that victims could use to recover encrypted files.

The latest version of TeslaCrypt (detected by Kaspersky as comes with several improvements, including a new encryption scheme that makes it impossible to recover files encrypted by the malware, Kaspersky experts said.

According to the security firm, TeslaCrypt 2.0 comes with a new ransom screen copied from CryptoWall 3.0. Researchers have pointed out that the first versions of the ransomware used a graphical interface taken from CryptoLocker. In later versions, the malware developers came up with their own design for the ransom screen, and now it appears that they’re getting their inspiration from CryptoWall.

It’s worth noting that TeslaCrypt authors have not only copied the CryptoWall ransom screen, but they are also using the ransomware’s name. Cybercriminals might be leveraging CryptoWall’s reputation because many users know that files encrypted by this piece of ransomware cannot be recovered without paying the ransom, experts said.

Kaspersky has also noted that the ransom screen is no longer an application window, but an HTML webpage displayed in the victim’s web browser.

The TeslaCrypt 2.0 encryption scheme involves master keys generated for each infected computer, and session keys generated each time the malware is executed on the system.

“Keys are generated using the ECDH algorithm,” Kaspersky’s Fedor Sinitsyn explained in a blog post. “The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone.”

The malware developers have now completely removed the file decryption feature found in previous versions, Sinitsyn noted.

The malware uses the tor2web service to communicate with its command and control (C&C) servers which are located on the Tor anonymity network. Recent versions of the ransomware encrypt requests using the AES-256-CBC algorithm before sending them to the server.

For evasion, TeslaCrypt 2.0 relies on a technique that involves the use of COM objects. This method has been utilized since version 0.4.0, but it has undergone slight modifications in later versions.

TeslaCrypt has been distributed mainly with the aid of exploit kits such as Angler, Sweet Orange and Nuclear. The highest number of victims was detected by Kaspersky in the United States and Europe.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.