This article is more than 1 year old

Hi! You've reached TeslaCrypt ransomware customer support. How may we fleece you?

Infosec bods tear into the belly of the beast

The TeslaCrypt ransomware gang raked in $76,500 in around 10 weeks, according to new research into the scam.

TeslaCrypt, which was distributed through the widely-used Angler browser exploit kit, was first spotted in February 2015 by security researchers at Dell SecureWorks.

After encrypting popular file types on compromised machines, TeslaCrypt demanded a ransom of $150 or more, payable in Bitcoin. The malware uses the Tor anonymity network for command and control. TeslaCrypt was also notable for its encryption of filetypes associated with popular online games.

Security researchers at Cisco were able to analyse and break the TeslaCrypt ransomware before releasing a decryption utility in late April. The release of the recovery tool thwarted the whole basis of the scam.

The latest research into the malware, by security researchers at FireEye, follows the money trail associated with the ransomware.

We tracked the victims’ payments to the cybercriminals—available because the group used Bitcoin—and determined that between February and April 2015, the perpetrators extorted $76,522 from 163 victims. This amount may seem trivial compared to millions made annually on other cyber crimes, or the estimated $3m the perpetrators of CryptoLocker were able to make during nine months in 2013-14.

However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims.

Online correspondence between the victims and the cybercriminals behind TeslaCrypt lays out the impact on the malware on peoples' lives, as FireEye explains.

"Some feared being expelled from school or fired by their employers if they were unable to retrieve their files," Nart Villeneuve, principal threat intelligence analyst at FireEye, writes. "Fathers and mothers were devastated by the loss of family photos. The TeslaCrypt ransomware also affected nonprofits, including an organization dedicated to curing blood cancer, as well as small businesses. Many of the victims were simply unable to afford to pay the ransom and gave up."

Ransomware scams have been going on for years, progressing from simple PC lock-up threats and bogus claims that victims needed to pay a fine to the authorities after unsavoury material was uncovered on their machines, right up to full-blooded file encryption nasties.

CryptoLocker pioneered this area but TeslaCrypt took the support aspects much further, even setting up a fully fledged "tech support" network. In addition, the crooks behind TeslaCrypt offer victims the ability to upload and decrypt a single file. This demonstrates the capability of decrypting files while stimulating the desire for victims to recover all their files, arguably adding additional pressure on the victims to pay the ransom.

"The cybercriminals position themselves as 'customer support' and help the victims acquire Bitcoin and continue to demand the ransom," Villeneuve explains.

Of these 1,231 known victims, 163 paid the ransom, a rate of about 13 per cent. Victims interacted with the cybercrime group through their messaging system.

"These messages provide an inside view into the impact on the victims and the mindset of the cybercriminals," Villeneuve reports. "The range of emotions from the victims, who have just lost all their files, ranges from anger and bewilderment to a willingness to bargain and desperation."

The chutzpah of the crooks knew few constraints. They took on the role of tech support staff, resolving problems they were instrumental in creating. Sometimes the decryption does not work, even if victims paid. Sometimes the victims are infected with different types of malware that interfere with one another, or bugs in the ransomware prevent all the victims’ files from being decrypted.

A blog post from FireEye provides a rarely seen intimate examination from of the machinations integral to ransomware scams, which the security firm concludes remains successful and is therefore unlikely to disappear anytime soon. Alongside CryptoLocker and TeslaCrypt, internet Igors have also stitched together other strains including Cryptowall, CTB-Locker and more.

"We anticipate that ransomware will continue to be a growth area for cybercriminals in the next few years," Villeneuve concludes. "The tools are easy to employ, and even inexperienced intruders can generate a quick profit from Internet users around the world who are desperate to recover their files and pay the ransom." ®

More about


Send us news

Other stories you might like