Ransomware program TeslaCrypt has infected several computers
18.12.2015 klo 13:46 - Updated 18.12.2015 klo 16:59
The ransomware program TeslaCrypt targets Microsoft Windows operating systems in PCs and encrypts the user's file contents using strong AES encryption.
It may also encrypt files on network drives and external hard drives connected to a computer and even in DropBox folders mapped as a drive letter if the user has write access to them. The program deletes all Shadow Volume copies of the files from the hard drive which makes restoring the files problematic.
The ransomware program prompts the victim with a ransom and claims to decrypt the files after the ransom is paid.
TeslaCrypt uses symmetric encryption which means that the same key can be used to decrypt and encrypt the files. In some TeslaCrypt versions of spring 2015, the victim could obtain the encryption key without paying the ransom. However, this vulnerability does not appear in more recent versions; the ransomware program sends the key to the cyber criminals before the victim realises the gravity of the situation.
The NCSC-FI has followed the TeslaCrypt situation closely and warned in early December that the malware is spread actively.
In December, the NCSC-FI has received daily several notifications about infections in Finland and the number continues to grow. However, all infections have probably not been even notified to the NCSC-FI.
Target group of the alert
- Users and administrators of Windows computers
- Persons responsible for information management and information security in organisations
Possible solutions and restrictive measures
Preventing and preparing for infections
The awareness of computer users is extremely important. Like many other malware programs, TeslaCrypt spreads via email attachments and cracked websites inserted with an exploit kit. It is advised not to open unexpected or suspicious emails or click links in suspicious emails or social media messages.
The NCSC-FI emphasises that prevention is crucial. It is important to back up files promptly on a regular basis.
Anti-malware software should also be updated regularly. Anti-malware programs detect and remove TeslaCrypt well provided that the signature base is updated and normal prevention features are activated.
The operating system and applications should be updated regularly. The exploit kits on websites exploit vulnerabilities found in programs on the victim's computer. If known vulnerabilities have been patched by installing the most recent versions of programs, infections are more unlikely.
Administrators of email systems or local area networks may filter suspicious attachments by using anti-malware software and intrusion prevention systems (IPS) as well as by quarantining suspicious attachments.
Email identifiers which may reveal the spreading of TeslaCrypt are listed below.
- Unpaid Invoice from Staples Inc., Ref. series of digits
- Your account has a debt and is past due
- Agri Basics invoice #<8 digits> and <7 digits>
- Reference Number #<8 digits>, Last Payment Notice
- timestamp of the sent message in the following format "11/29/2015 4:30:09 pm"
- invoice from passion beauty supply ltd
- your ticket order #<10 digits>
- approved new payment for tax refund #<8 digits>
- november invoice #<8 digits>
- scan_invoice_<8 digits>.zip
- invoice_<8 digits>_copy.doc
- invoice_<8 digits>_copy_.zip
- invoice_<8 digits>.zip
- tax_refund_<8 digits>.zip
- "love.zip" containing a file named "info.js"
- "img.zip" containing a file named "img.js"
- firstname_resume_<four digits>.zip
- task<10 digits>.zip
- <10 digits>.zip
The attachments may be named otherwise, too. The zip files always contain a malicious .js file.
Below is a recent picture of an email spreading TeslaCrypt.
Recovering from infection
It may be possible to recover from an infection. However, it always requires considerable measures.
- If the user has the skills and time, it is recommended to immediately shut down the infected computer and create a complete copy of the contents of the encrypted hard drives with an uninfected computer. This interrupts the encryption in case all files have not been encrypted yet. Then the user has time to try decryption methods that are available now or that may be developed in the future.
- The computer should be scanned with an updated anti-malware program. Anti-malware programs detect and remove TeslaCrypt. However, this does not decrypt the files.
- If the user has backups, they can be restored after the malware program has been removed.
- The user may also try to restore the files from Windows' Shadow Volume Copy. TeslaCrypt attempts to delete all Shadow Volume copies but it is not always able to do this.
- It may be possible to decrypt the files encrypted by some TeslaCrypt versions using free decrypters created for this purpose. One is provided by Cisco and another by BleepingComputer.
The NCSC-FI at FICORA recommends the victims not to pay the ransom. Paying the ransom encourages criminal activity and it does not guarantee decryption.
These infections should also be reported to the police.
- Ransomware TeslaCrypt spreads via email. (in Finnish) Information security now! 02/12/2015
- Malware may spread even without clicking - part 1. (in Finnish) Information security now! 17/09/2015
- Wave of CTB Locker malware in Finland - Do not open suspicious email attachments. (in Finnish) Information security now! 05/02/2015
- TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ. BleepingComputer's information guide [referred to on 18/12/2015]
- Major TeslaCrypt ransomware offensive underway. Symantec Security Response blog 14/12/2015
- Nemucod malware spreads ransomware Teslacrypt around the world. Eset's We live security blog 16/12/2015
- Security Alert: TeslaCrypt Infections Rise as Spam Campaign Hits Companies in Europe. Post by Heimdal Security 11/12/2015
- TeslaCrypt 2.0: Cyber Crime Malware Behavior, Capabilities and Communications. iSIGHT Partners' blog 16/09/2015
The Finnish Communications Regulatory Authority (FICORA)
The National Cyber Security Centre Finland (NCSC-FI)
Itämerenkatu 3 A
P.O. Box 313
Media contacts by telephone +358 295 390 248