Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

After Spike in Windows Infections, Microsoft Steps In to tackle TeslaCrypt.


  • Please log in to reply
9 replies to this topic

#1 CodeSmasha

CodeSmasha

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 14 October 2015 - 06:03 AM

After a recent spike in Windows Infections, Microsoft released a tool for thousands of Windows Machines that were infected in August by the notorious Teslacrypt Ransomware, along with yesterday's patch Tuesday updates. Microsoft also updated it's Malicious Malware Removal Tool to tackle Teslacrypt, or Tescrypt as it refers to it. 

 

Microsoft's Windows telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day earlier that month to over 3,500 on August 24.

"After the spike, detections spiked and fell but overall have remained higher than before that first peak in late August," Microsoft noted.

The malware is typically delivered in the payload of several exploit kits, including Angler, the estimated $60m-a-year automated hacking operation that Cisco disrupted earlier this month.

 

The August spike coincided with a report from security firm Malwarebytes detailing a widespread ad-malware, or malvertising, campaign in late August, which served up the Angler exploit kit to visitors of a number of popular news websites, including Microsoft's MSN.com.

 

TeslaCrypt appeared on the radar in early 2015, gaining notoriety for targeting gamers. After an infection, TeslaCrypt searches for specific file types and then encrypts them with AES 256 encryption and demands payment in Bitcoin in exchange for a key to unlock the files.

As Microsoft notes, what separates TeslaCrypt from other ransomware is that it also targets files related to financial and tax software.

 

 

Microsoft's September data shows that the US has the largest number of TeslaCrypt infections, accounting for 39 percent, followed by the UK, which represents 6.5 percent, and Canada at 5.9 percent.

The addition of TeslaCrypt to Microsoft's malware removal tool offers an additional rescue option to a decryption tool that Cisco's Talos security and another rescue kit released in May.

However, Microsoft noted that earlier variants of TeslaCrypt stored the private key as a file on the machine itself, allowing victims to use Cisco's Talos TeslaCrypt Decryption Tool to decrypt their files with the locally-stored private key.

But recent variants store the key in the registry as binary data, it added. This shift in tactic was noted by Kaspersky in a detailed report on TeslaCrypt version 2.0, which presents itself to victims as CryptoWall - probably, Kaspersky researchers guessed, to spook victims into paying since files encrypted with CryptoWall still cannot be decrypted.

Microsoft emphasized that the best defence against ransomware is 'pre-defence', meaning backing up files in disconnected or remote storage.

 

Copied from the news site I recently visited, so it's not my info. This is for discussion/chat.

 

 

Edited :)


Edited by CodeSmasha, 14 October 2015 - 06:59 AM.


BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:59 AM

Posted 14 October 2015 - 06:55 AM

Too late, Microsoft - what we need is to stop crypto ransomware from encrypting people's data in the first place, not stepping in to clean up the mess after it was done. The damage is usually irreversible by then.

By the way, you might want to read this for how to quote news items :)

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 14 October 2015 - 06:56 AM

When you post an article, you need to quote only a part of it, and then post the source URL. This way, people that wants to read the article will actually go to the website and it'll get the traffic they deserve. Therefore, you should edit your post and adjust it accordingly :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 CodeSmasha

CodeSmasha
  • Topic Starter

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 14 October 2015 - 07:01 AM

 

Too late, Microsoft - what we need is to stop crypto ransomware from encrypting people's data in the first place, not stepping in to clean up the mess after it was done. The damage is usually irreversible by then.
 

 

They seem to trip up all the time eh?



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 14 October 2015 - 07:05 AM

Your edit is still not good, you need to quote only a part of it, and post the URL where we can read the full article :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 CodeSmasha

CodeSmasha
  • Topic Starter

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 14 October 2015 - 07:11 AM

It only seems to let me edit twice, but I can't edit, it won't allow me. :(

 

I found it from this link: http://www.zdnet.com/article/after-spike-in-windows-infections-microsoft-steps-in-to-tackle-teslacrypt-ransomware/



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 14 October 2015 - 07:14 AM

On a side note...

Microsoft's Windows telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day earlier that month to over 3,500 on August 24.


This is one of the reason telemetry is useful. The sooner Microsoft will be aware of things, the sooner they can react to it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 CodeSmasha

CodeSmasha
  • Topic Starter

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 14 October 2015 - 07:19 AM

This is one of the reason telemetry is useful. The sooner Microsoft will be aware of things, the sooner they can react to it.                  

 

 

That's Right :)

 

 

Cisco Systems (CSCO) has done its part to help rid the world of ransomware by striking a major blow to one of the largest exploit kits on the market for this type of security threat.

 

Goodbye Angler Exploit Kit it deserved to get taken down. Full Article: http://thevarguy.com/network-security-and-data-protection-software-solutions/101415/cisco-researchers-dismantle-key-distributor-



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:59 PM

Posted 14 October 2015 - 07:23 AM

The URL you just posted returns me a 404 page on the website.

This being said, I'm sure we'll see Angler back soon, it's way too popular and "efficient" to be taken down like that.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 CodeSmasha

CodeSmasha
  • Topic Starter

  • Banned
  • 524 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 AM

Posted 14 October 2015 - 07:36 AM

 

This being said, I'm sure we'll see Angler back soon, it's way too popular and "efficient" to be taken down like that.

 

Maybe not in it's original form, but an updated version of the exploit. But you're right.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users