New Version of TeslaCrypt Changes Encryption Scheme
by
Dennis Fisher July 14, 2015 ,
2:26 pm
A new version of the nasty
TeslaCrypt
ransomware is making the rounds, and the creators have added several new
features, including an improved encryption scheme and some details designed to
mimic CryptoWall.
TeslaCrypt is among the
more recent variants of ransomware to emerge and the malware, which is a
variant of CryptoLocker, is unique in that it targets files from gaming
platforms as well as other common file types. Version 2.0.0 of TeslaCrypt, discovered
recently by researchers at Kaspersky Lab, no longer uses a typical GUI to
show users the warning about their files being encrypted. Instead, the malware
opens a page in the user’s browser to display a warning message that is taken
directly from CryptoWall.
That change, researchers
speculated, could be a way to make TeslaCrypt seem more intimidating.
“Why use this false front?
We can only guess – perhaps the attackers wanted to impress the gravity of the
situation on their victims: files encrypted by CryptoWall still cannot be
decrypted, which is not true of many TeslaCrypt infections,” Fedor Sinitsyn of
Kaspersky Lab wrote in an analysis of the new ransomware.
But the more significant
modification in version 2.0.0 is the inclusion of an updated encryption method.
TeslaCrypt, like many other ransomware variants, encrypts the files on victims’
machines and demands a payment in order to obtain the decryption key. The
payment typically must be in Bitcoin and the attackers using crypto ransomware have
been quite successful in running their scams. Estimates of the revenue
generated by variants such as CryptoLocker run into the millions of dollars per
month.
Researchers have had some
success in finding methods to decrypt files encrypted by ransomware,
specifically TeslaCrypt. But the change to the malware’s encryption method may
make that more difficult.
“The encryption scheme has
been improved again and is now even more sophisticated than before. Keys are
generated using the ECDH
algorithm. The cybercriminals introduced it in versions 0.3.x, but in this
version it seems more relevant because it serves a specific purpose, enabling
the attackers to decrypt files using a ‘master key’ alone,” Sinitsyn said.
“Each file is encrypted
using the AES-256-CBC algorithm with session_priv as a key. An encrypted file
gets an additional extension, ‘.zzz’. A service structure is added to the
beginning of the file, followed by encrypted file contents.”
The TeslaCrypt authors
also took out the decryption mechanism in the malware that researchers were
able to exploit in previous versions.
-
See more at:
https://threatpost.com/new-version-of-teslacrypt-changes-encryption-scheme/113786#sthash.iec6Yax9.dpuf
ที่มา : Threatpost.com
ที่มา : Threatpost.com
ไม่มีความคิดเห็น:
แสดงความคิดเห็น