Sign Me Up For
The Free Assessment

 

BEWARE: TeslaCrypt 4.0 Released with Bug Fixes and Stops Adding Extensions

This is not the first time people have talked about TeslaCrypt and its variants. Apparently the malware developers wanted to wreak more havoc and force a lot of unknowing computer users to pay up and get their data back. Hence, the version 4.0 is now out in the wild.

At this point, TeslaCrypt 4.0 has not been fully analyzed but a brief analysis  that it fixes a bug that corrupted files greater than 4GB, contains new ransom note names, and no longer uses an extension for encrypted files.

Previously, files are either encrypted and changed to .ecc .ece .ccc .vvv .mp3 and many more. Now, file extensions are kept the same but encrypted.

When TeslaCrypt first begins encrypting your data, it will connect to one of the Command & Control server gateways and send an encrypted POST message. When this message is decrypted, one of the values in the message is called version that displays the current version of TeslaCrypt. You can see an example of a decoded 4.0 request below.

Sub=Ping&dh=[PublicKeyRandom1_octet|AES_PrivateKeyMaster]&addr=[bitcoin_address]&size=0&version=4.0&OS=[build_id]&ID=[?]&inst_id=[victim_id]

In this version, the developers have fixed a bug that was corrupting files greater than 4GB, changed the names of the ransom notes to RECOVER[5_chars].html, and no longer appends an extension to encrypted files. The lack of an extension makes it difficult for victim’s to discover information about TeslaCrypt and what it did to their files.  For now, until an extension is used again, victims are going to have to search for strings from the ransom note such as:

    NOT YOUR LANGUAGE? USE https://translate.google.com

    What’s the matter with your files?

    Your data was secured using a strong encryption with RSA4096.
    Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem)

Files encrypted by this version cannot be decrypted without purchasing the key. If you have a backup, you should restore your files from that instead.

Sad to say but this build seems to disable and delete Shadow copies and system restore points.

Tesla has evolved during the last 1.5 years and why this has become a problem. Multiple ransomware variants have emerged like CryptoLocker, TorrentLocker, CryptoJoker, Locky, Samas, Xorist, CryptorBit and many more.

As of this writing, chances of recovering files is very slim unless you pay to get the key but there are some software programs you can use to protect your system from these ransomware from getting in. FYI there is no perfect system, although you have prevention methods, backups and other security being implemented – it does not guarantee you will not be a victim of these threats.

 

=====

Was this helpful?

As we value quality over quantity, we have focused our unified I.T. services to Small and Medium businesses only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.

Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202

Written by

No Comments Yet.

Leave a Reply

Message

[contact-form-7 id="5555" title="Mobile Form"]