Ransomware program TeslaCrypt has infected several computers

The number of TeslaCrypt infections has increased significantly in December. TeslaCrypt is a ransomware program that encrypts files in a computer. All Windows computer users are advised to be cautious and alert when dealing with email attachments and web links. It is recommended to back up files in a computer and check that anti-malware software is updated and running.

Threat description of TeslaCrypt

The ransomware program TeslaCrypt targets Microsoft Windows operating systems in PCs and encrypts the user's file contents using strong AES encryption.

It may also encrypt files on network drives and external hard drives connected to a computer and even in DropBox folders mapped as a drive letter if the user has write access to them. The program deletes all Shadow Volume copies of the files from the hard drive which makes restoring the files problematic.

The ransomware program prompts the victim with a ransom and claims to decrypt the files after the ransom is paid.

TeslaCrypt uses symmetric encryption which means that the same key can be used to decrypt and encrypt the files. In some TeslaCrypt versions of spring 2015, the victim could obtain the encryption key without paying the ransom. However, this vulnerability does not appear in more recent versions; the ransomware program sends the key to the cyber criminals before the victim realises the gravity of the situation.

The NCSC-FI has followed the TeslaCrypt situation closely and warned in early December that the malware is spread actively.

In December, the NCSC-FI has received daily several notifications about infections in Finland and the number continues to grow. However, all infections have probably not been even notified to the NCSC-FI.

Target group of the alert

  • Users and administrators of Windows computers
  • Persons responsible for information management and information security in organisations

Possible solutions and restrictive measures

Preventing and preparing for infections

The awareness of computer users is extremely important. Like many other malware programs, TeslaCrypt spreads via email attachments and cracked websites inserted with an exploit kit. It is advised not to open unexpected or suspicious emails or click links in suspicious emails or social media messages.

The NCSC-FI emphasises that prevention is crucial. It is important to back up files promptly on a regular basis.

Anti-malware software should also be updated regularly. Anti-malware programs detect and remove TeslaCrypt well provided that the signature base is updated and normal prevention features are activated.

The operating system and applications should be updated regularly. The exploit kits on websites exploit vulnerabilities found in programs on the victim's computer. If known vulnerabilities have been patched by installing the most recent versions of programs, infections are more unlikely.

Administrators of email systems or local area networks may filter suspicious attachments by using anti-malware software and intrusion prevention systems (IPS) as well as by quarantining suspicious attachments.

Email identifiers which may reveal the spreading of TeslaCrypt are listed below.

Email subjects:
  • Unpaid Invoice from Staples Inc., Ref. series of digits
  • Your account has a debt and is past due
  • Agri Basics invoice #<8 digits> and <7 digits>
  • Reference Number #<8 digits>, Last Payment Notice
  • timestamp of the sent message in the following format "11/29/2015 4:30:09 pm"
  • invoice from passion beauty supply ltd
  • your ticket order #<10 digits>
  • approved new payment for tax refund #<8 digits>
  • november invoice #<8 digits>

New different subjects appear constantly.

Names of email attachments:
  • scan_invoice_<8 digits>.zip
  • invoice_<8 digits>_copy.doc
  • invoice_<8 digits>_copy_.zip
  • invoice_<8 digits>.zip
  • tax_refund_<8 digits>.zip
  • "love.zip" containing a file named "info.js"
  • "img.zip" containing a file named "img.js"
  • doc.zip
  • live.zip
  • statement.zip
  • part1.zip
  • firstname_resume_<four digits>.zip
  • task<10 digits>.zip
  • <10 digits>.zip

The attachments may be named otherwise, too. The zip files always contain a malicious .js file.

Below is a recent picture of an email spreading TeslaCrypt.


Recovering from infection

It may be possible to recover from an infection. However, it always requires considerable measures.

  • If the user has the skills and time, it is recommended to immediately shut down the infected computer and create a complete copy of the contents of the encrypted hard drives with an uninfected computer. This interrupts the encryption in case all files have not been encrypted yet. Then the user has time to try decryption methods that are available now or that may be developed in the future.
  • The computer should be scanned with an updated anti-malware program. Anti-malware programs detect and remove TeslaCrypt. However, this does not decrypt the files.
  • If the user has backups, they can be restored after the malware program has been removed.
  • The user may also try to restore the files from Windows' Shadow Volume Copy. TeslaCrypt attempts to delete all Shadow Volume copies but it is not always able to do this.
  • It may be possible to decrypt the files encrypted by some TeslaCrypt versions using free decrypters created for this purpose. One is provided by Cisco and another by BleepingComputer.

The NCSC-FI at FICORA recommends the victims not to pay the ransom. Paying the ransom encourages criminal activity and it does not guarantee decryption.

These infections should also be reported to the police.

Further information

Update history

Key words: Information security , Encryption , Hoax , Malware , Spam , Alerts

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248