2200 Western Court, Suite 400 Lisle, IL 60532
(888) 351-8324 (TECH)

Crypto-Vigilance: TeslaCrypt Breakdown

TeslaCrypt is the latest in a series of viruses being termed as, “crypto-ransomware”. This is a particular problem because it is getting more difficult to protect against this ransomware as it constantly changes and is getting updated with more sophisticated logic to circumvent network security and endpoint protections like AV software. As well, most AV’s will not pick-up this virus in time as it technically doesn’t do anything considered ‘traditionally malicious’. TeslaCrypt uses COM+ sandbox evasion techniques and starts encrypting the files with the following extensions using AES encryption:

 

[kt_box opacity=”1″ padding_top=”10″ padding_bottom=”10″ padding_left=”10″ padding_right=”10″ background=”#8da6bf”]

.7z;.rar;.m4a;.wma;.avi;.wmv;.csv;.d3dbsp;.sc2save;.sie;.sum;.ibank;.t13;.t12;.qdf;.gdb;.tax;.pkpass;

.bc6;.bc7;.bkp;.qic;.bkf;.sidn;.sidd;.mddata;.itl;.itdb;.icxs;.hvpl;.hplg;.hkdb;.mdbackup;.syncdb;.gho;

.cas;.svg;.map;.wmo;.itm;.sb;.fos;.mcgame;.vdf;.ztmp;.sis;.sid;.ncf;.menu;.layout;.dmp;.blob;.esm;

.001;.vtf;.dazip;.fpk;.mlx;.kf;.iwd;.vpk;.tor;.psk;.rim;.w3x;.fsh;.ntl;.arch00;.lvl;.snx;.cfr;.ff;.vpp_pc;.lrf;

.m2;.mcmeta;.vfs0;.mpqge;.kdb;.db0;.DayZProfile;.rofl;.hkx;.bar;.upk;.das;.iwi;.litemod;.asset;.forge;

.ltx;.bsa;.apk;.re4;.sav;.lbf;.slm;.bik;.epk;.rgss3a;.pak;.big;.unity3d;.wotreplay;.xxx;.desc;.py;.m3u;.flv;

.js;.css;.rb;.png;.jpeg;.txt;.p7c;.p7b;.p12;.pfx;.pem;.crt;.cer;.der;.x3f;.srw;.pef;.ptx;.r3d;.rw2;.rwl;.raw;

.raf;.orf;.nrw;.mrwref;.mef;.erf;.kdc;.dcr;.cr2;.crw;.bay;.sr2;.srf;.arw;.3fr;.dng;.jpe;.jpg;.cdr;.indd;.ai;

.eps;.pdf;.pdd;.psd;.dbfv;.mdf;.wb2;.rtf;.wpd;.dxg;.xf;.dwg; .pst;.accdb;.mdb;.pptm;.pptx;.ppt;.xlk;.xlsb;

.xlsm;.xlsx;.xls;.wps;.docm;.docx;.doc;.odb;.odc;.odm;.odp;.ods;.odt

[/kt_box]

 

While encryption begins it also changes your background to the following image:

 

teslacrypt-warning-620x560

 

 

This nasty code then goes on to delete any volume copies and restore points using the “vssadmin delete shadows /all /quiet” command. It then implements anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes and if a process with a filename that contains any of the words below is found, that process is terminated using the TerminateProcess Windows API function

  • taskmgr
  • procexp
  • regedit
  • msconfig
  • cmd.exe

 

This terminating process then prevents any tools or utilities from being run (Task Manager, Command Prompt, Registry Edit, etc.) which according to my technician Ryan Wozniak, “all of these things [utilities] could be used to attempt to stop the infection process or remove the malware.”.

 

The only recovery option, other than actually paying the ransom (which works), is to do an image level restore for the infected machine, and to restore infected files.

 

 

 

 

Leave a reply