Sign Me Up For
The Free Assessment

 

How CryptoLocker, Teslalocker and copycat variants infect a computer in detail

It is official, TeslaLocker 4.2 is out in the wild.

As of our previous newsletter and blogs, we have been warning people about TeslaLocker, Cryptolocker and all its copycat variants.

Now we give you an insight how it infects a computer and watch the video below:

Most of the time you get infected by opening an infected email or spam. A zip file normally delivers the payload once it is opened or the attachment itself is either a malicious exe file or script and possibly an exe file pretending to be something else.

It seems harmless while when you open the file because it seems to do nothing. Upon opening the infected payload file, it will be running in the background contacting a private server to create a local and private key to encrypt the files.

The malware developers target the following files to encrypt but not limited to:

.3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc,.mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d,.raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

Some variants would rename the file extensions. While the newer ones would not show any change in the file names and there is a variant that renames it to random letters and numbers and produces a list of the the file names that they have encrypted. Below is a list of extensions that it might be changed to:

.ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .mp3, .encrypted, ,lock, .locked, .kimcilware, .crypto, _crypt, .crypt, .crypted, .crinf, .pzdc, .good, .R16M01D05, .cerber, .fun, .kkk, .btc, .gws, .eclr, .sshxkej, .73i87A, .p5tkjw, PoAr2w, .surprise, .tzu, .coverton, .krypted, .r5a, .XTBL, .YTBL, .LOL!, .OMG!, .RDM, .RRK, .RAD, .encedRSA, .encryptedRSA, .encryptedAES, .justbtcwillhelpyou, .btc-help-you, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, ._cryptcryptcrypt.@.gmail.com_, .id_<victim_id>_email_zeta@dr.com.scl, .0x0, .bleep, .1999, .fu*k (f**k), .vault, .HA3, .frtrss, .toxcrypt, .magic, .enc, .locky, _sq.<filename>, .k2p, .Sanction, .SPORT, .cwgoqia, .trun, .crysis, .xrtn, .Remind, .SUPERCRYPT, .CTBL, .CTB2, or 6-7 length extension consisting of random characters such as .uogltic, .rpyxhhm, .mtrsxox, .phszfud?

The nastier versions delete Shadow Volume Copies, though this may have also been the case in earlier version. The command used is C:\Windows\system32\wbem\WMIC.exe shadowcopy delete /nointeractive.

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

A few versions would provide you with a text file placed in your documents folder that might resemble the following but not limited to:

-!recover!-!file!-.txt
RECOVERY_FILES.TXT
HELP_RECOVER_FILES.txt
ABOUT_FILES!.txt

There are a few techniques developed to prevent it from happening to you, but it is not a 100% guarantee of never getting infected by it.

=====

Was this helpful?

As we value quality over quantity, we have focused our unified I.T. services to Small and Medium businesses only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.

Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202

Written by

No Comments Yet.

Leave a Reply

Message

[contact-form-7 id="5555" title="Mobile Form"]