Malware researchers at Kaspersky detected a new strain of the TeslaCrypt ransomware (Trojan-Ransom.Win32.Bitman.tk), so-called TeslaCrypt 2.0, which includes a number of improvements. This ransomware also encrypts video game files, but the most significant improvement is related to the encryption scheme that overwhelm the limits of the scheme implemented in the previous versions.
The latest version implements a new encryption scheme that makes it impossible to recover files encrypted by ransomware.
“Kaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from previous ones in that it uses a significantly improved encryption scheme, which means that it is currently impossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the HTML page was copied from another Trojan – Cryptowall.” states the report published by Kaspersky Lab.
The experts discovered several strains of TeslaCrypt 2.0 over the last months, the first one comes with the same interface of the CryptoWall 3.0 ransomware, recent versions are using a totally new ransom screen.
The TeslaCrypt 2.0 encryption scheme is based on the ECDH algorithm, it involves master keys generated for each infected PC, each time the malware is executed on the victim’s PC session keys are generated.
“Keys are generated using the ECDH algorithm,” states the blog post. “The cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a specific purpose, enabling the attackers to decrypt files using a ‘master key’ alone.”
The authors of TeslaCrypt 2.0 have removed the file decryption feature found in previous versions, used by security experts to recover the encrypted files.
Below the list of features implemented by TeslaCrypt 2.0:
The ransomware implements a sophisticated detection evasion technique based on using COM objects, that was noticed for the first time with version 0.4.0 of the malware.
(Security Affairs – TeslaCrypt, ransomware)