Security researchers have found a new variant of the ransomware trojan TeslaCrypt, which uses stronger encryption that makes files impossible to recover. Here’s what you need to know.
Encryption lock image from Shutterstock
TeslaCrypt first appeared one year ago and initially targeted computer gamers but has now evolved to attack businesses and individuals. The newest version that has been found, TeslaCrypt 4.0, has been beefed up to use the RSA 4096 algorithm, making it impossible to break any files encrypted by the ransomware. Larger files, which proved a challenge for older TeslaCrypt ransomwares, can now be encrypted as well.
As well as augmented encryption, TeslaCrypt 4.0 is also able to send more files back to cybercriminals from the infected device compared to its predecessors. This new variant cannot be removed by the TeslaDecoder tool that was used on previous versions.
According to Heimdal Security researchers, you can recognise TeslaCrypt by the following indicators of compromise:
%UserProfile%\Desktop\RECOVER[%5 random signs%].html %UserProfile%\Desktop\RECOVER[%5 random signs %].png %UserProfile%\Desktop\RECOVER[%5 random signs %].txt %UserProfile%\Documents\[random file name].exe %UserProfile%\Documents\recover_file.txt
The ransomware also creates the following value in the registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_[random name] C:\Windows\SYSTEM32\CMD.EXE /C START %user account%\Documents\[random name].exe
If you are unfortunate enough to be hit by TeslaCrypt, we hope you have backed up your precious data. Your only options are to restore data from a secure backup or pay the ransom, which most security experts recommend against.
[Via Heimdal Security]