Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New TeslaCrypt Ransomware sets its scope on video gamers


  • Please log in to reply
264 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 27 February 2015 - 12:00 PM

A guide on TeslaCrypt and Alpha Crypt is now available at this link:

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

This guide contains all known information about these ransomware.


Update: 05/18/16

TeslaCrypt has closed its doors and released the master decrypt key. BloodDolly has already updated his tool so it can now decrypt all files encrypted by TeslaCrypt 3.0 and 4.x. More info here:

http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/


 

A new ransomware called TeslaCrypt was discovered by Fabian Wosar of Emsisoft that encrypts your files using AES encryption and then demands a ransom payment in order to decrypt your files. What makes TeslaCrypt different than other ransomware is its attempt to cash in on the $81 billion game market by placing a strong emphasis on encrypting video game related files. Unlike other ransomware that typically target images, documents, videos, and applications databases, TeslaCrypt also targets over 40 different video game related files. The game files being targeted belong to games such as RPG Maker, Call of Duty, Dragon Age, StarCraft, MineCraft, World of Warcraft, World of Tanks, and Steam.
 



game-listing.jpg


Another major difference with this ransomware is that for the first time this type of infection not only accepts bitcoins as a ransom payment, but also accepts PayPal My Cash cards. PayPal My Cash cards are cards that can be purchased at popular US store chains and then filled with money that can then be transferred to a PayPal account using the PIN on the card. Paying the ransom with PayPal My Cash cards, though, comes at a premium of $1,000, while paying the ransom with bitcoins is half that price at $500 USD. This higher price for using the Cash cards is probably due to the higher risk of the illegal gains being confiscated by PayPal.
 

paypal-thumb.jpg


At this point it is unknown as to how TeslaCrypt is distributed, but once a computer is infected it will scan all drives on a computer and encrypt certain file types using AES encryption. Any files that are encrypted will have the .ecc extension added to the end of the filename. The file types encrypted by the TeslaCrypt ransomware are:
 
.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.sc2save;.sie;.sum;.ibank;.t13;.t12;.qdf;.gdb;.tax;.pkpass;.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;.icxs;.hvpl;.hplg;.hkdb;.mdbackup;.syncdb;.gho;.cas;.svg;.map;.wmo;.itm;.sb;.fos;.mcgame;.vdf;.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;.001;.vtf;.dazip;.fpk;.mlx;.kf;.iwd;.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;.m2;.mcmeta;.vfs0;.mpqge;.kdb;.db0;.DayZProfile;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.forge;.ltx;.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;.xxx;.desc;.py;.m3u;.flv;.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;.der;.x3f;.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;.cr2;.crw;.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;.eps;.pdf;.pdd;.psd;.dbfv;.mdf;.wb2;.rtf;.wpd;.dxg;.xf;.dwg;.pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;.xlsm;.xlsx;.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt;
Unlike other ransomware, TeslaCrypt pays peculiar attention to files used by popular games such as Dragon Age, Call of Duty, StarCraft 2, RPG Maker, World of Warcraft, World of Tanks, Minecraft, DayZ, and League of Legends. This targeting of video game related files is a new development in ransomware. Once all of your data has been encrypted, it will run the following command to delete all Shadow Volume Copies and restore points from your computer. This is done so you are unable to restore your data from System Restore Points.
 
[b]vssadmin delete shadows /all[/b]
Finally, the ransomware will change your Desktop wallpaper to a ransom note and create another ransom note called HELP_TO_DECRYPT_YOUR_FILES.txt on your desktop. A lock screen will then appear that explains your data was encrypted and that you have 3 days to make payment. This lock screen contains buttons that allow you to check whether a payment has been accepted, the ability to enter your decryption keys, and a link to a TOR payment site where you can perform a free file decryption as a test.
 

teslacrypt-screen.jpg


TeslaCrypt's TOR site provides instructions on how you can make your ransom payment in bitcoins or PayPal My Cash Cards. The site also allows you to decrypt one file for free to prove that they can indeed decrypt your files. Last, but not least, the site includes a message system that allows a victim to communicate privately with the malware developers.
 

decryption-site-main-page.jpg


Unfortunately, at this time there is no known method of decrypting your files for free. As always we recommend that you do not pay the ransom if you can avoid it. Instead restore files from a backup or try restoring your files using Shadow Explorer or with a file recovery tool like R-Studio, Photorec, or Recuva. None of these restoration methods are guaranteed to work, but it is worth trying as people have reported success with malware like TeslaCrypt in the past.

If you have any questions, please feel free to post them here.

Known TeslaCrypt Ransomware Files:
 
[b]%AppData%\<random>.exe
%AppData%\key.dat
%AppData%\log.html
%Desktop%\CryptoLocker.lnk
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt[/b]
Known TeslaCrypt Ransomware Registry keys:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\crypto13	%AppData%\<random>.exe


BC AdBot (Login to Remove)

 


#2 zingo156

zingo156

  • BC Advisor
  • 3,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 27 February 2015 - 12:21 PM

With this:

HELP_TO_DECRYPT_YOUR_FILES
and the decrypt 1 file for free, this sounds like a newer version of Cryptowall to me, or rather it may be written by the same criminals.

 

Out of the gamers I know, the only ones that might care enough about their game data to pay might be the World of Warcraft players, though I am not certain how much of that is actually stored locally vs on the cloud. I have no idea how WOW player saves work.

 

Interesting tactic, and this just further enforces the fact that ransomware is here to stay.

 

Thanks for the post Grinler.


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 Angoid

Angoid

  • Security Colleague
  • 177 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 27 February 2015 - 12:22 PM

I like the date on which they say the private key will be destroyed on .... 29/02/2015.

 

If they have made a simple mistake like that, then what else have they botched?


If you don't know what eschatology is then don't worry; it's not the end of the world.

Getting nowhere at Warp Factor 10

Personal member of UNITE


#4 zingo156

zingo156

  • BC Advisor
  • 3,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 27 February 2015 - 12:24 PM

I like the date on which they say the private key will be destroyed on .... 29/02/2015.

 

If they have made a simple mistake like that, then what else have they botched?

Date formats often vary by country, it could be a mistake.

 

http://en.wikipedia.org/wiki/Date_format_by_country


Edited by zingo156, 27 February 2015 - 12:25 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#5 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 15,075 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:47 PM

Posted 27 February 2015 - 12:42 PM

I don't understand what's the point of encrypting online games files such as League of Legends. That game isn't even local on a system, so even if it's files gets encrypted, you could simply uninstall and reinstall it and the problem would be solved. I can understand for Steam I guess (... or not, since you could uninstall every games and reinstall them, however some of them have local files for game saves and such) but for other online games, like World of Warcraft, there's no point.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#6 pmacnayr

pmacnayr

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 27 February 2015 - 12:42 PM

Take a closer look at the date :whistle:

 

I like the date on which they say the private key will be destroyed on .... 29/02/2015.

 

If they have made a simple mistake like that, then what else have they botched?

Date formats often vary by country, it could be a mistake.

 

http://en.wikipedia.org/wiki/Date_format_by_country

 



#7 zingo156

zingo156

  • BC Advisor
  • 3,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:47 PM

Posted 27 February 2015 - 12:44 PM

 

Take a closer look at the date :whistle:

 

I like the date on which they say the private key will be destroyed on .... 29/02/2015.

 

If they have made a simple mistake like that, then what else have they botched?

Date formats often vary by country, it could be a mistake.

 

http://en.wikipedia.org/wiki/Date_format_by_country

 

 

Ha, I see it now! They must have been thinking about 2016, for the leap year.


Edited by zingo156, 27 February 2015 - 12:46 PM.

If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 27 February 2015 - 12:45 PM

I don't understand what's the point of encrypting online games files such as League of Legends. That game isn't even local on a system, so even if it's files gets encrypted, you could simply uninstall and reinstall it and the problem would be solved. I can understand for Steam I guess (... or not, since you could uninstall every games and reinstall them, however some of them have local files for game saves and such) but for other online games, like World of Warcraft, there's no point.


Don't know much about LoL, but the rest is save games and replay videos.

#9 calgary11

calgary11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 27 February 2015 - 12:55 PM

I can't believe they now have a message center. Maybe we will be able to purchase annual maintenance soon :)



#10 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 15,075 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:11:47 PM

Posted 27 February 2015 - 12:58 PM

Well World of Warcraft, League of Legends, The Elder Scrolls, Call of Duty are all online games with close to none (or none) local content on a system. I can understand that game captures (screenshots, videos, etc.) would be encrypted, but wouldn't they be encrypted by default since they are of "image" and "video" types? I'm not saying anything against that Cryptoware, except that they should all be stopped, disrupted, etc. but for the creators of these to target games that are 100% online, I don't see the point in it except to annoy the user by forcing a reinstallation :P

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#11 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 27 February 2015 - 01:17 PM

Agreed...some of them make no sense, others though are save games and replay files which are not saved online.

Regardless, if you are infected with this, all the rest of your data is still encrypted, so your SOL unfortunately.

#12 Demonslay335

Demonslay335

  • Security Colleague
  • 1,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:47 PM

Posted 27 February 2015 - 02:20 PM

Thanks for the heads-up, I've notified my colleagues to watch out for this new targeting (for customers and ourselves alike). We're imagining it would hit streamers pretty bad; could you imagine the decrypt ransom note popping up on someone while they were streaming? Talk about embarrassing. I do wonder what it would do while a game is in session during the encryption sweep - maybe if you are still in the game, and it encrypts, you would then save and exit and it would overwrite the encrypted one... all about the timing and luck I guess.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#13 BlackHawk1

BlackHawk1

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 27 February 2015 - 07:09 PM

What are the most common methods of infection for this and Cryptowall? Email? Browser inujection or what? I talked to a man today that got nailed with Cryptowall v3 and he has no idea how he got it.



#14 RobertHD

RobertHD

  • Members
  • 348 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere in Oz
  • Local time:02:17 PM

Posted 27 February 2015 - 08:00 PM

Another Infection!!!

 

I am going to update my Antivirus Software


Robert James Crawley Klopp


#15 Jman005

Jman005

  • Malware Study Hall Junior
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:47 PM

Posted 27 February 2015 - 08:17 PM

 

%Desktop%\CryptoLocker.lnk

Seems to ring a bell......

 

 

I think every new ransom is now just some kind of cryptolocker modification as it's encryption method was one of the hardest to decrypt yet. Although it wouldn't make much sense to just modify an encryption method that already has a decryption as it'll just take a few weeks or even days to get the method for the modification, I guess they still get a pretty good wad of cash.........


Edited by Jman005, 28 February 2015 - 10:52 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users