Over the past two weeks security researchers have seen a surge in attacks using a file-encrypting ransomware program called TeslaCrypt, known for targeting gamers in the past.
TeslaCrypt first appeared in March and stood out because over 50 of the 185 file types it targeted were associated with computer games and related software, including game saves, custom maps, profiles, replays and mods — content that users might have a hard time replacing.
In April researchers from Cisco found a weakness in TeslaCrypt’s encryption routine and created a tool that could decrypt files affected by some versions of the program.
Since then, the ransomware program’s authors have continued to refine it and started selling it on the underground market to other cybercriminals. However, the number of attacks have stayed relatively low until late November when security researchers from Symantec observed a significant change.
Over the past two weeks the number of TeslaCrypt infection attempts detected by Symantec went up from around 200 a day to 1,800, suggesting that one cybercriminal group is ramping up its use of this malicious program.
The group’s preferred method of infection is through spam emails with malicious attachments. The subject lines of these emails begin with “ID,” followed by a random number and a request related to alleged invoices, successful orders or wire transfers.
Judging by these topics, the attackers are targeting businesses — a new trend for ransomware attacks in general that’s fueled by businesses being more willing to pay to recover important files.
The malicious TeslaCrypt email attachments may include the words “invoice,” “doc,” or “info,” but they actually contain heavily obfuscated JavaScript code designed to evade antivirus detection and download the ransomware program.
If the attack is successful, the program will encrypt all files with a strong encryption algorithm and will add the .VVV extension to them. It will also drop text and HTML ransom notes that instruct victims how to access Tor-hosted sites in order to pay the ransom.
“Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and consumers should be on their guard, keep their security software regularly updated, and exercise caution when opening emails from unfamiliar sources,” the Symantec researchers said in a blog post. “Users should also regularly back up any files stored on their computers. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer.”