TeslaCrypt – Decrypt It Yourself

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.




Click for Larger Image


At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.

Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.

We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:

  • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
  • 6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4
Both samples implement the following hashing algorithms:

  • SHA1
  • SHA256
  • RIPEMD160
  • BASE58
  • BASE64
Infection Vector And Setup Function
This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.

We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.

Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:

TeslaCrypt-GraphList-550x250.png


If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.

Read more: http://blogs.cisco.com/security/talos/teslacrypt
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top