id2957383castle538722100600887orig
Security

Attacks using TeslaCrypt ransomware intensify

Over the past two weeks security researchers have seen a surge in attacks using a file-encrypting ransomware program called TeslaCrypt, known for targeting gamers in the past.

TeslaCrypt first appeared in March and stood out because over 50 of the 185 file types it targeted were associated with computer games and related software, including game saves, custom maps, profiles, replays and mods -- content that users might have a hard time replacing.

In April researchers from Cisco found a weakness in TeslaCrypt's encryption routine and created a tool that could decrypt files affected by some versions of the program.

Since then, the ransomware program's authors have continued to refine it and started selling it on the underground market to other cybercriminals. However, the number of attacks have stayed relatively low until late November when security researchers from Symantec observed a significant change.

Over the past two weeks the number of TeslaCrypt infection attempts detected by Symantec went up from around 200 a day to 1,800, suggesting that one cybercriminal group is ramping up its use of this malicious program.

The group's preferred method of infection is through spam emails with malicious attachments. The subject lines of these emails begin with "ID," followed by a random number and a request related to alleged invoices, successful orders or wire transfers.

Judging by these topics, the attackers are targeting businesses -- a new trend for ransomware attacks in general that's fueled by businesses being more willing to pay to recover important files.

The malicious TeslaCrypt email attachments may include the words "invoice," "doc," or "info," but they actually contain heavily obfuscated JavaScript code designed to evade antivirus detection and download the ransomware program.

If the attack is successful, the program will encrypt all files with a strong encryption algorithm and will add the .VVV extension to them. It will also drop text and HTML ransom notes that instruct victims how to access Tor-hosted sites in order to pay the ransom.

"Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and consumers should be on their guard, keep their security software regularly updated, and exercise caution when opening emails from unfamiliar sources," the Symantec researchers said in a blog post. "Users should also regularly back up any files stored on their computers. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer."

IDG Insider

PREVIOUS ARTICLE

« How Netflix plans to curb its massive thirst for bandwidth

NEXT ARTICLE

When will your phone get Android Marshmallow? Here's what we know so far »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?