Hi! You've reached TeslaCrypt ransomware customer support. How may we fleece you?

Infosec bods tear into the belly of the beast

The TeslaCrypt ransomware gang raked in $76,500 in around 10 weeks, according to new research into the scam.

TeslaCrypt, which was distributed through the widely-used Angler browser exploit kit, was first spotted in February 2015 by security researchers at Dell SecureWorks.

After encrypting popular file types on compromised machines, TeslaCrypt demanded a ransom of $150 or more, payable in Bitcoin. The malware uses the Tor anonymity network for command and control. TeslaCrypt was also notable for its encryption of filetypes associated with popular online games.

Security researchers at Cisco were able to analyse and break the TeslaCrypt ransomware before releasing a decryption utility in late April. The release of the recovery tool thwarted the whole basis of the scam.

The latest research into the malware, by security researchers at FireEye, follows the money trail associated with the ransomware.

We tracked the victims’ payments to the cybercriminals—available because the group used Bitcoin—and determined that between February and April 2015, the perpetrators extorted $76,522 from 163 victims. This amount may seem trivial compared to millions made annually on other cyber crimes, or the estimated $3m the perpetrators of CryptoLocker were able to make during nine months in 2013-14.

However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims.

Online correspondence between the victims and the cybercriminals behind TeslaCrypt lays out the impact on the malware on peoples' lives, as FireEye explains.

"Some feared being expelled from school or fired by their employers if they were unable to retrieve their files," Nart Villeneuve, principal threat intelligence analyst at FireEye, writes. "Fathers and mothers were devastated by the loss of family photos. The TeslaCrypt ransomware also affected nonprofits, including an organization dedicated to curing blood cancer, as well as small businesses. Many of the victims were simply unable to afford to pay the ransom and gave up."

Ransomware scams have been going on for years, progressing from simple PC lock-up threats and bogus claims that victims needed to pay a fine to the authorities after unsavoury material was uncovered on their machines, right up to full-blooded file encryption nasties.

CryptoLocker pioneered this area but TeslaCrypt took the support aspects much further, even setting up a fully fledged "tech support" network. In addition, the crooks behind TeslaCrypt offer victims the ability to upload and decrypt a single file. This demonstrates the capability of decrypting files while stimulating the desire for victims to recover all their files, arguably adding additional pressure on the victims to pay the ransom.

"The cybercriminals position themselves as 'customer support' and help the victims acquire Bitcoin and continue to demand the ransom," Villeneuve explains.

Of these 1,231 known victims, 163 paid the ransom, a rate of about 13 per cent. Victims interacted with the cybercrime group through their messaging system.

"These messages provide an inside view into the impact on the victims and the mindset of the cybercriminals," Villeneuve reports. "The range of emotions from the victims, who have just lost all their files, ranges from anger and bewilderment to a willingness to bargain and desperation."

The chutzpah of the crooks knew few constraints. They took on the role of tech support staff, resolving problems they were instrumental in creating. Sometimes the decryption does not work, even if victims paid. Sometimes the victims are infected with different types of malware that interfere with one another, or bugs in the ransomware prevent all the victims’ files from being decrypted.

A blog post from FireEye provides a rarely seen intimate examination from of the machinations integral to ransomware scams, which the security firm concludes remains successful and is therefore unlikely to disappear anytime soon. Alongside CryptoLocker and TeslaCrypt, internet Igors have also stitched together other strains including Cryptowall, CTB-Locker and more.

"We anticipate that ransomware will continue to be a growth area for cybercriminals in the next few years," Villeneuve concludes. "The tools are easy to employ, and even inexperienced intruders can generate a quick profit from Internet users around the world who are desperate to recover their files and pay the ransom." ®

Broader topics

Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading

Biting the hand that feeds IT © 1998–2022