Two years ago, when we published a ransomware blogpost series, the number of active ransomware families were only a handful. This year, however, ransomware has become the latest malware craze the cyber criminals are going wild over.
And so we thought to ask our young TET trainee (Miro) to get a short history lesson on ransomware, particularly TeslaCrypt, because it’s one of those relatively “old” ransomware that is still making its rounds.
Here is the result of his research.
TeslaCrypt is classified as a ransomware family. When a ransomware gets into a victim’s computer, it encrypts the victim’s files, keeps it that way until the cyber criminals get what they want… money.
TeslaCrypt was one of those that first added PayPal My Cash cards as a payment method, in addition to Bitcoins.
TeslaCrypt became known because it not only encrypted the usual document and image files, it also targeted video game-related files associated to Call of Duty, Minecraft, League of Legends, and Steam among others.
So far, there has been four versions of TeslaCrypt. It was first discovered in February 2015, and the latest one identified in March 2016.
In the first version, although it said it used RSA-2048, it was in fact using AES encryption. The encrypted files will have the .ECC extension in their filenames.
The second version of TeslaCrypt, TeslaCrypt 2.0, came out sometime in July 2015. This version claimed to still use the RSA-2048 algorithm, even if it used AES. The extensions for the encrypted files were changed to, for example, .VVV or .ABC. The ransom demand also changed. It came up in three different formats: an HTML page, text file, and an image within a wallpaper or in photo gallery. The difference between these two versions were visible in the text and also look of the ransom message. It added the titles and chapters to make reading easier. The new ransom demand also removed the countdown payment.
TeslaCrypt 3.0 was discovered in January 2016. TeslaCrypt 3.0 claimed it used RSA-4096 for encryption, but still uses AES. However, this version used a different encryption key exchange algorithm which made the encryption more difficult to break. Another difference in this version was the use of extensions such as.MP3, .XXX, .TTT or .MICRO for the encrypted files. The HTML ransom message was the same as in TeslaCrypt 2.0, but the text file format had some slight changes as seen below. Version 3.0 included the link to Google Translate and the “What does this mean” line was removed.
TeslaCrypt 4.0 is the latest version of the TeslaCrypt ransomware family. It was first seen sometime in March 2016. One of the biggest differences between this version and the older ones is that 4.0 doesn’t use file extensions like .VVV or .MP3 for the encrypted files. Also, in the older versions, there was a bug that encrypting files over 4GB of size ended up being corrupted. In this version that bug has been fixed. It also tries to search for more information about the victim’s computer and send that information back to the criminal network.
TeslaCrypt 4.0 again claims that it uses RSA-4096 encryption, but still uses AES. The look of these ransom demands has not changed but the text underwent quite a lot of changes between this version and TeslaCrypt 3.0. For example, 4.0 uses “What’s the matter with your file” whereas 3.0 used “What happened to your files”. TeslaCrypt 4.0 also added back the “What does this mean” line from version 2.0.
Written and researched by Miro Ikäheimonen.
Author’s note – I’m a 14-year old middle school student from Helsinki, Finland doing my 5-day TET (Työelämään tutustuminen) program at F-Secure. Why did I pick F-Secure? Because I’m interested in communications technology and also after having the chance to interview Mikko Hyppönen for a school project, I got interested in F-Secure’s fight against malware. I had a fun time here and I learned lots of new things about malware, especially ransomware and about fighting against them.