Researchers at Kaspersky Lab have uncovered version 2.0 of TeslaCrypt, a file-encrypting ransomware first spotted in February 2015.
TeslaCrypt made numerous headlines earlier this year because in addition to the file types targeted by most ransomware, this piece of malware also encrypts video game files. However, the encryption scheme used in some of the earlier versions was not too efficient and researchers managed to develop tools that victims could use to recover encrypted files.
The latest version of TeslaCrypt (detected by Kaspersky as Trojan-Ransom.Win32.Bitman.tk) comes with several improvements, including a new encryption scheme that makes it impossible to recover files encrypted by the malware, Kaspersky experts said.
According to the security firm, TeslaCrypt 2.0 comes with a new ransom screen copied from CryptoWall 3.0. Researchers have pointed out that the first versions of the ransomware used a graphical interface taken from CryptoLocker. In later versions, the malware developers came up with their own design for the ransom screen, and now it appears that they’re getting their inspiration from CryptoWall.
It’s worth noting that TeslaCrypt authors have not only copied the CryptoWall ransom screen, but they are also using the ransomware’s name. Cybercriminals might be leveraging CryptoWall’s reputation because many users know that files encrypted by this piece of ransomware cannot be recovered without paying the ransom, experts said.
Kaspersky has also noted that the ransom screen is no longer an application window, but an HTML webpage displayed in the victim’s web browser.
The TeslaCrypt 2.0 encryption scheme involves master keys generated for each infected computer, and session keys generated each time the malware is executed on the system.
“Keys are generated using the ECDH algorithm,” Kaspersky’s Fedor Sinitsyn explained in a blog post. “The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone.”
The malware developers have now completely removed the file decryption feature found in previous versions, Sinitsyn noted.
The malware uses the tor2web service to communicate with its command and control (C&C) servers which are located on the Tor anonymity network. Recent versions of the ransomware encrypt requests using the AES-256-CBC algorithm before sending them to the server.
For evasion, TeslaCrypt 2.0 relies on a technique that involves the use of COM objects. This method has been utilized since version 0.4.0, but it has undergone slight modifications in later versions.
TeslaCrypt has been distributed mainly with the aid of exploit kits such as Angler, Sweet Orange and Nuclear. The highest number of victims was detected by Kaspersky in the United States and Europe.