Malware researchers at Kaspersky detected a new strain of the TeslaCrypt ransomware (Trojan-Ransom.Win32.Bitman.tk), so-called TeslaCrypt 2.0, which includes a number of improvements. This ransomware also encrypts video game files, but the most significant improvement is related to the encryption scheme that overwhelm the limits of the scheme implemented in the previous versions.
The latest version implements a new encryption scheme that makes it impossible to recover files encrypted by ransomware.
“Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.” states the report published by Kaspersky Lab.
The experts discovered several strains of TeslaCrypt 2.0 over the last months, the first one comes with the same interface of the CryptoWall 3.0 ransomware, recent versions are using a totally new ransom screen.
The TeslaCrypt 2.0 encryption scheme is based on the ECDH algorithm, it involves master keys generated for each infected PC, each time the malware is executed on the victim’s PC session keys are generated.
“Keys are generated using the ECDH algorithm,” states the blog post. “The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone.”
The authors of TeslaCrypt 2.0 have removed the file decryption feature found in previous versions, used by security experts to recover the encrypted files.
Below the list of features implemented by TeslaCrypt 2.0:
The ransomware implements a sophisticated detection evasion technique based on using COM objects, that was noticed for the first time with version 0.4.0 of the malware.
(Security Affairs – TeslaCrypt, ransomware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.