New TeslaCrypt Ransomware sets its scope on video gamers

What are the most common methods of infection for this and Cryptowall? Email? Browser inujection or what? I talked to a man today that got nailed with Cryptowall v3 and he has no idea how he got it.

 

We've had 2 clients nailed with Crytowall 3.0 in the last week.  The first time it was a bogus alert stating that their Adobe Flash was out of date.  This user already had PUP on the machine in the form of a changed home page and search engine.  The second client that got hit had the browsing history set to auto-delete after each session, so no clue where that one came from other than we are 100 sure it was not from email due to a thorough check of her messages. 

 

In both cases, the malware encrypted a single workstaion and all network shares, however good backup practices allowed full recovery of the important server data in the shares without too much hassle.  All local user data was already server side thanks to folder redirection, so the only items left in an un-usable state on the workstations were some readme files (big deal), the default MS sample pictures/videos/music (who cares), and a handful of product manuals/documentation in program files (oh well, they can be re-installed if needed). 

 

It is exactly malware like this that I use as an example as to why good quality redundant backups are extremely important.  Workstaion backups are nice, but server backups are absolutely critical. 

I think every new ransom is now just some kind of cryptolocker modification as it's encryption method was one of the hardest to decrypt yet.

Nah..cryptolocker was a specific infection. All these others are just copycating it. They do not sure the same code base.

What are the most common methods of infection for this and Cryptowall? Email? Browser inujection or what? I talked to a man today that got nailed with Cryptowall v3 and he has no idea how he got it.

I would say that Cryptoware are mostly delivered via infected attachments on emails, and Exploit Kits. These two are the biggest attack vector for these kind of malware.

I was wondering why it would focus on games like World of Warcraft since it's a MMORPG game and everything is saved to the servers, not locally. Same for Steam - the most players would lose are screenshots and saved games (but if you play multiplayer games like TF2 then the point is moot).

Again, this emphasizes the importance of backups - since it will encrypt other data than your games unfortunately.

Alex

Well World of Warcraft, League of Legends, The Elder Scrolls, Call of Duty are all online games with close to none (or none) local content on a system. I can understand that game captures (screenshots, videos, etc.) would be encrypted, but wouldn't they be encrypted by default since they are of "image" and "video" types? I'm not saying anything against that Cryptoware, except that they should all be stopped, disrupted, etc. but for the creators of these to target games that are 100% online, I don't see the point in it except to annoy the user by forcing a reinstallation

 

I beg to differ. Games such as The Elder Scrolls have a thriving PC-based mod community, with literally terabytes of mods available. Sites such as nexusmods and Steam's own steamworkshop offer thousands of mods that can add small utilities to the gameplay for convenience, change game mechanics, add new characters or change behaviors, or go all the way to complete, DLC-level expansions that add dozens of hours to a game. For example, my "The Elder Scrolls V: Skyrim" folder is over 25 GB in size, largely due to mods that I've installed, with an additional 7+ gigs of mods in a mod manager's folder--and I'm considered an "average" modder!

 

Ransomware such as this new TeslaCrypt could impact hundreds of games, and millions of gamers. Or, look at it this way: in 2013, the video game industry in America was a $21 billion business. That's Billion-with-a-B, nothing to sneer at. Consider that The Avengers is considered a wildly successful movie for bringing in over $1.5 billion worldwide over its twenty-two week run. Grand Theft Auto V did that in three days, and nearly $2 billion in less than a year of being on sale. This new ransomware could finally bring in a princely sum to the extortionists. That's some kind of "annoyance!"

Well what you're losing here mostly is time, it's not like if you were losing money, personal pictures, work documents, etc. I'm talking about data that hold a certain value, that cannot be replaced (or replaced "that" easily). To be honest, even if I had spent hours on modding a game, but I had to pay $500 to get it back, I would just clean everything and reinstall. There's no game that is worth buying $500 for to save if you ask me. If you are to invest that much money into a game, we're past "entertainement" at this point.

What should we do Nathan Scott? find the XOR key so we can whip up an awesome decryptor

Well I guess that Nathan and Fabian are already on the case and Grinler's probably working with them right now. That's what they always do when a new Cryptoware is discovered isn't that right?

Good Luck Grinler, Nathan and Fabian 

Edited by RobertHD, 01 March 2015 - 12:24 AM.

i dont use steam but i heard , it has lot of people spreading bad links to steal accounts etc , maybe  that is the way the spread this too

 

mostly its like a fake message to trade something . not sure .

 

thanks for update

What should we do Nathan Scott? find the XOR key so we can whip up an awesome decryptor

Definitely not XOR unfortunately. At this point we are labeling this is non-decryptable. If anything changes we will be sure to let everyone know.

 

What are the most common methods of infection for this and Cryptowall? Email? Browser inujection or what? I talked to a man today that got nailed with Cryptowall v3 and he has no idea how he got it.

 

We've had 2 clients nailed with Crytowall 3.0 in the last week.  The first time it was a bogus alert stating that their Adobe Flash was out of date.  This user already had PUP on the machine in the form of a changed home page and search engine.  The second client that got hit had the browsing history set to auto-delete after each session, so no clue where that one came from other than we are 100 sure it was not from email due to a thorough check of her messages. 

 

In both cases, the malware encrypted a single workstaion and all network shares, however good backup practices allowed full recovery of the important server data in the shares without too much hassle.  All local user data was already server side thanks to folder redirection, so the only items left in an un-usable state on the workstations were some readme files (big deal), the default MS sample pictures/videos/music (who cares), and a handful of product manuals/documentation in program files (oh well, they can be re-installed if needed). 

 

It is exactly malware like this that I use as an example as to why good quality redundant backups are extremely important.  Workstaion backups are nice, but server backups are absolutely critical. 

 

 

Last week, I had an end user who got hit with 3.0 too. I traced it back to a false adobe update as well, it originated from a Mozilla folder that was created when the virus sprang itself (user had Chrome but did not, nor ever had firefox) located in their App Data folder (user was windows XP). It happened all at the same time as the user ran the faux update. The encryption occurred the following morning when he booted up. It prepared everything silently at 2PM according to the time stamps, but the network files all were encrypted at 9 AM the next morning. So I don't know if clearing an internet cache would help much.

 

User had Symantec as their antivirus, it targeted the Symantec folder and changed the permissions just on that folder to make NOTHING run located in that folder.

I got this on my computer and I don't even play games on it. It started out by encrypting Office files in My Documents folder and seems to have moved on to program files since now I can't even run Excel. Any help would be greatly appreciated. Unfortunately I'm running XP SP3, so Shadow Explorer is not an option. Recuva did not show any deleted files that were encrypted.

Hi spirit, I'm guessing that a support thread will be created soon for TeslaCrypt, so just wait a bit until it's up and then all the assistance will be given in that thread

We just had a computer with this infection come into our store on Monday. Not much we can do from what I see here.....