Security researchers have identified a new malware targeting online gaming players. The new ransomware works like Cryptolocker, and was named Teslacrypt. It attempts to infect Windows computers by exploiting a vulnerability in Adobe Flash (CVE-2015-0311) or Internet Explorer (CVE-2013-2551).
Malicious software is distributed by a trapped website that contains one iframe which uses JavaScript. Javascript redirects site visitors to others until they end up in the Angler Exploit Kit.
Once installed, the Teslacrypt scans the system filesystem, and encrypts files that match a file type included in its code. Immediately after, it creates a random AES key for each file using OpenSSL code. These keys use them to encrypt the data of the infected computer. It then encrypts the AES keys using a public key consisting of a 2048-bit RSA key pair.
The private key required to decrypt the keys per file and eventually restore the encoded data is stored on the rogue administration and control server.
Victims must pay as a ransom the amount of 500 dollars to Bitcoin, or buy and deliver a Paypal My Cash worth of 1.000 dollars using a website hidden in the Tor network.
The command and control servers are also hidden on the Tor network, and maleare communicates with them via HTTP. Teslacrypt also leaves the following files to infected machines
% AppData% \ .exe% AppData% \ key.dat% AppData% \ log.html% Desktop% \ CryptoLocker.lnk% Desktop% \ HELP_TO_DECRYPT_YOUR_FILES.bmp% Desktop% \ HELP_TO_DECRYPT_YOUR_FILES.txt
… And stops any attempt to run the following programs
taskmgr procexp regedit msconfig cmd.exe
An analysis carried out by the security company Bromium Labs shows that TeslaCrypt is very different from Cryptolocker, and the executable code resembles only 8%. And although it uses RSA encryption, it seems that the keys are created in the rogue systems.
The new malicious software seems to not only focus on documents or images but also encrypts files associated with more than 20 games and game services. Files that encrypt include, user profile information on saved games, maps, and mods.
It can hit games like this Call of Duty, World of Warcraft, Assassin's Creed, League of LegendsAnd Minecraft. In addition, it locks Steam accounts and development tools such as Unity3D and Unreal Engine.
"Encryption of all these games shows the evolution of crypto-ransomware aimed at new markets," said Vadim Kotov, senior security researcher at Bromium Labs.
Many young adults may not have any critical documents or source code on their computer (photos are usually stored on Tumblr or Facebook), but most of them certainly have a Steam account with a few games and an iTunes account full music."