TeslaCrypt ransomware alert: watch out for bogus email invoices

Image source: Symantec

Common criminals are putting out feelers to take a share of Christmas budgets this year, Norton antivirus maker Symantec has warned.

A network of criminals using the TeslaCrypt file-encrypting ransomware have cranked up attacks targeting inboxes at the height of the Christmas shopping period.

TelsaCrypt emerged early this year as one more variant of ransomware that encrypts victims’ files and demands around $300 to unlock them. It initially targeted only PC gamers but newer variants also scoured infected systems for files specific to financial and tax software suggesting it was also keen on extorting businesses as well as consumers.

According to Symantec’s security response team, the attackers are sending out “massive volumes of spam emails seeded with the malware”, and are using a variety of subject header cons to lure people into opening as well as dressing up attachments as invoices or documents. Seasoned computer users might not be as prone to falling for the tricks, but they may have family members that are.

The attachment itself is actually downloader software used to install the malware.

“The attachment may have a file extension of .zip or may have no file extension at all. Although disguised as a legitimate document, the attachment is, in fact, a JavaScript file containing heavily obfuscated malicious code intended to evade antivirus scanners. This attached file is detected by Symantec as JS.Downloader,” said Symantec.

“Should the recipient open this attachment, it will download and install TeslaCrypt on their computer.”

There have been several iterations of the TeslaCrypt and the latest version, TeslaCrypt 2.2, will encrypt the user’s files and append their file names with a .VVV extension.

“The file extension used changes regularly. For example, the previous TeslaCrypt version (2.1) used a file extension of .CCC,” it noted.

TelsaCrypt 2.2 was released on November 13, according to a user of Bleeping Computer, a computing-focussed forum that has reported extensively on file-encrypting malware.

Microsoft, which operates the world’s most widely used anti-malware platform, reported a surge in detections in August based on its telemetry data, prompting it to add TeslaCrypt to its malicious software removal tool (MSRT) in October.

As with the current outbreak, detections dropped off after the initial spike, but remained higher than pre-spike levels.

Danish security firm Heimdal on Friday reported it had also seen a “considerable increase in TeslaCrypt infections” in the past week targeting companies in Northern Europe.

Symantec’s TeslaCrypt report corroborates Heimdal’s assertion that the main attack vector in the most recent outbreak is spam. Heimdal said that files are encrypted files renamed with the .vvv and .zzz extensions.

Heimdal recommended not paying the ransom if infected and to back up data in the cloud or on an external drive and to never download or open .zip attachments in email from unknown senders.

As to who’s behind the attacks, that’s very hard to tell due to the fact the malware is available to be rented by anyone with criminal aspirations.

“TeslaCrypt is commodity malware and can be purchased on the underground black market. Attack groups pay TeslaCrypt’s authors for use of the platform and possibly also for access to various distribution channels, such as spam botnets or exploit kits. Because of this, it is difficult to identify any one perpetrator responsible,” Symantec noted.

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

For full terms and conditions click here.

Start survey NOW!

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful cybersecurity companies