TeslaCrypt ransomware joins the fee-for-file-recovery trend (May 22nd, 2015)

The Dell Sonicwall Threats Research team has received reports of a new file encrypting ransomware called TeslaCrypt. Like other file encrypting ransomware such as Cryptolocker and Cryptowall this trojan holds files ransom for a fee. Communication to the C&C/key server is encrypted and takes place over the tor network. Bitcoin is used as the currency of choice in making payments for file recovery and aids in making it difficult for authorities to trace operators. Ransomware of this nature has proven to be a very effective and lucrative business model. It is a trend that we expect to continue throughout 2015.

Infection cycle:

Upon infection the Trojan displays the following text on the desktop background:

It also displays the following dialog in the foreground:

The Trojan makes the following DNS queries:

7tno4hib47vlep5o.42kjb11.net
7tno4hib47vlep5o.42kdb12.net
7tno4hib47vlep5o.tor2web.fi
7tno4hib47vlep5o.tor2web.bluemagie.de

The Trojan adds the following files to the filesystem:

• %APPDATA%key.dat
• %APPDATA%log.html
• %APPDATA%nvpdpcv.exe [Detected as GAV: TeslaCrypt.A_6 (Trojan)]
• %USERPROFILE%DesktopCryptoLocker.lnk (link to nvpdpcv.exe)
• %USERPROFILE%DesktopHELP_TO_SAVE_YOUR_FILES.bmp
• %USERPROFILE%DesktopHELP_TO_SAVE_YOUR_FILES.txt

The Trojan adds the following keys to the windows registry to enable startup after reboot:

• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svv_e “%APPDATA%nvpdpcv.exe”
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce *svv_e “%APPDATA%nvpdpcv.exe”

It issues the following command to clean up after infection:

"%WINDIR%system32cmd.exe" /c del {run location}nvpdpcv.exe >> NUL

It also issues the following command to delete any volume shadow copies on the system:

"%WINDIR%system32vssadmin.exe" delete shadows /all /Quiet

The Trojan appears to be inspired by Cryptolocker. CryptoLocker.lnk uses the following icon:

key.dat contains the following data which includes the bitcoin address to send funds to:

Files on the system and any attached shares are encrypted with the RSA-2048 algorithm as stated in the displayed splash screen. log.html contains a list of all the files that were encrypted:

The Trojan contacts ipinfo.io in order to obtain the public IP of the infected machine:

The Trojan was observed sending encrypted information over the tor network to a remote C&C/key server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: TeslaCrypt.A (Trojan)
• GAV: TeslaCrypt.A_2 (Trojan)
• GAV: TeslaCrypt.A_3 (Trojan)
• GAV: TeslaCrypt.A_4 (Trojan)
• GAV: TeslaCrypt.A_5 (Trojan)
• GAV: TeslaCrypt.A_6 (Trojan)
Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.