Security researchers have identified a new malware targeting online gaming players. The new ransomware works like Cryptolocker, and was named Teslacrypt. It attempts to infect Windows computers by exploiting a vulnerability in Adobe Flash (CVE-2015-0311) or Internet Explorer (CVE-2013-2551).
Malicious software is distributed by a trapped website that contains one iframe which uses JavaScript. Javascript redirects site visitors to others until they end up in the Angler Exploit Kit.
Once installed, the Teslacrypt scans the system file system, and encrypts them archives που ταιριάζουν με μια τύπων αρχείων που συμπεριλαμβάνονται στον code του. Αμέσως μετά, δημιουργεί ένα τυχαίο κλειδί AES για κάθε αρχείο χρησιμοποιώντας κώδικα OpenSSL. Τα wrenches it uses these to encrypt the data of the infected computer. It then encrypts the AES keys using a public key consisting of a 2048-bit RSA key pair.
The private key required to decrypt the keys per file and eventually restore the encoded data is stored on the rogue administration and control server.
Victims have to pay like ransom the amount of $500 in Bitcoin, or purchase and deliver a $1.000 Paypal My Cash card using a website hidden in the Tor network.
The command and control servers are also hidden on the Tor network, and maleare communicates with them via HTTP. Teslacrypt also leaves the following files to infected machines
%AppData%\.exe %AppData%\key.dat %AppData%\log.html %Desktop%\CryptoLocker.lnk %Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp %Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt
… And stops any attempt to run the following programs
taskmgr procexp regedit msconfig cmd.exe
An analysis carried out by the security company Bromium Labs shows that TeslaCrypt is very different from Cryptolocker, and the executable code resembles only 8%. And although it uses RSA encryption, it seems that the keys are created in the rogue systems.
The new malicious software seems to not only focus on documents or images but also encrypts files associated with more than 20 games and game services. Files that encrypt include, user profile information on saved games, maps, and mods.
It can hit games like this Call of Duty, World of Warcraft, Assassin's Creed, League of LegendsAnd Minecraft. In addition, it locks Steam accounts and development tools such as Unity3D and Unreal Engine.
"Encryption of all these games shows the evolution of crypto-ransomware aimed at new markets," said Vadim Kotov, senior security researcher at Bromium Labs.
“Πολλοί νεαροί ενήλικες μπορεί να μην έχουν κανένα κρίσιμο έγγραφο ή πηγαίο κώδικα στον υπολογιστή τους (τις φωτογραφίες συνήθως τις αποθηκεύουν στο Tumblr ή στο Facebook), but certainly most of them have a Steam account with a few games and an iTunes account full of music.”