TeslaCrypt, primarily known for encrypting gaming files, has beefed up its techniques and most recently, greatly improved its encryption in its newest 2.0 version.
Kasperky Lab wrote in a blog post that TeslaCrypt 2.0 not only makes it impossible to decrypt files, but also uses an HTML page copied directly from a separate ransomware: CryptoWall. And to take it a step further, TeslaCrypt no longer uses its own name; it instead opts to disguise itself as CryptoWall.
More specifically, once infected, a victim is taken to an HTML payment page directly copied from CryptoWall. It only differs in that the URLs lead to TeslaCrypt’s Tor-based servers.
Fedor Sinitsyn, senior malware analyst at Kaspersky, said in emailed comments to SCMagazine.com that he couldn’t provide an answer as to why the gaming ransomware might be using this disguise, but he speculated it’s “aimed to scare the victim and to puzzle experts trying to help the victim.”
While TeslaCrypt might not be as notorious or recognizable as CryptoWall, the ransomware’s new encryption scheme could put it higher up on IT professionals’ threat radar. Previous versions saved data in a file that could be used to recover the decryption key, Sinitsyn said. This critical data isn’t saved in the system. Backups are more imperative than ever, and Sinitsyn emphasized that they are the best defense against ransomware attacks.
“System administrators should be in charge of corporate backup and be leading the process on the corporate level,” he said. “Also, they should educate their uses on how to protect themselves from ransomware.”
TeslaCrypt mainly spreads through exploit kits, including Angler, Sweet Orange and Nuclear, and a large portion of its infections have been in the U.S.
“Ransomware as a threat is growing, criminals develop new and sophisticated pieces of malware, and in many cases decryption of the attacked files is impossible,” Sinitsyn said. “If your data is valuable, please take your time to make reliable backup copies.”