TeslaCrypt criminals launch 'very strong' spam campaign to spread crypto-malware

Trojan's authors change tactics in apparent attempt to infect businesses with crypto-malware

TeslaCrypt malware was first discovered earlier this year. Like other crypto-malware TeslaCrypt (also known as Alpha Crypt) encrypts the victims files, with the keys to unlock them only being sent after payment of a ransom in Bitcoin.

Security vendor FireEye managed to track payments to the cyber-criminals and determined that between February and April 2015 $76,522 was handed over by 163 victims of TeslaCrypt.

Previously, the main tool used by the cyber-criminals to spread the TeslaCrypt Trojan was the Angler exploit kit, which enables the malware to avoid being detected by many popular anti-virus solutions. Angler can also collect information from the infected machine and enlist it as part of a botnet. The detection rate for TeslaCrypt is low with only 3 out of 55 anti-malware suites spotting it, according to VirusTotal.

However, Heimdal Security, an anti-malware company, has seen a spike in infections over the past few days, a result the company says of a change in tactics by the perpetrators.

"We've seen TeslaCrypt being spread via spam emails that contain malicious zip attachments," the Heimdal Security team says, describing the campaign as "very strong".

"The email appears to come from a company that demands to be paid for an overdue invoice," it continues. "Inside the zip file, there is a .js file which, when unzipped, retrieves TeslaCrypt from several compromised web pages."

Fortunately, there are solutions available to recover files encrypted by TelsaCrypt such as Cisco's TeslaCrypt Decryption Tool which work so long as the master encryption key used by the Trojan is still located in the key.dat file. However later versions of TeslaCrypt specifically delete this file. Microsoft has also released a rescue tool, which was part of a patch Tuesday fix released in August.

The Heimdal Security team warns that these tools come with no guarantees and that data might be permanently damaged by using them. However, it also advises against paying the ransom as provision of the key cannot be assured.

Prevention is very much better than cure in this case. The firm recommends commonsense measures such as never downloading and opening zip files attached to emails from an unknown source, and to back up important data away from the primary hard drive. All software should be kept up to date, too, particularly operating systems and anti-virus software, since exploit kits like Angler rely on out-dated software to do the damage.

As well as a change in the delivery mechanism, the Heimdal Security team notes that the malware's authors are now starting to attack businesses in northern Europe. Earlier attacks were focused on individuals, particularly gamers. Only Windows users are vulnerable.

In a recent Computing survey, 17 per cent of respondents said that they, or other companies in their sector, have been affected by crypto-malware.

Computing's latest Enterprise Security and Risk Management Review can be downloaded from our Research page.