New TeslaCrypt Ransomware sets its scope on video gamers

We just had a computer with this infection come into our store on Monday. Not much we can do from what I see here.....

I haven't been able to test this virus yet but with certain other ransomware you could (sometimes) recover data by using a data recovery software such as recuva. It is worth a shot.

Most League of Legends players will be unaffected. you don't lose anything if those files are encrypted.

I've had some luck with ransomware randomly missing some files here and there, like one random JPG was left alone out of a whole directory. OmniCryptoFinder by OmniSpear is good at evaluating files and seeing what has been hit or not. It was originally created with the original CryptoWall in mind, but I've had it still do the job with CTB-Locker and CryptoWall 2.0/3.0. Mind it doesn't unencrypt files at all, it simply identifies some files that may have been missed - instead of manually going through and trying to open everything, or even thumbnail viewing every single pictures. I've then taken its output and made a batch script that identifies the clean files, and copies them to safe directory. I've managed to save a few hundred pictures out of 10k on one customer's system using this method.

 

I also second the Recuva attempts. I've had it recover a whole 2 documents for one customer, but that's better than zilch. Worth a shot, doesn't take too long to run.

I've got a client that was just hit with what appears to be this variant. Client computer was hit as well as the network shares she had access to. Little over 1TB of data I'll be restoring from Datto image backups. Ugh.

 

Is there any point in uploading a sample file?

Edited by dcluck68, 07 March 2015 - 03:11 PM.

I make YouTube videos of mostly minecraft gameplay. I think this would be very horrible to have hit my computer. I'm going to remember to regularly back up my saved worlds now with everything else. Would really hate to have to start all my series over. :c

 

Edit - I had a fellow YTer get this and the dropper was a torrent file. 

Edited by ITGeekGirl, 09 March 2015 - 08:19 AM.

Edit - I had a fellow YTer get this and the dropper was a torrent file.

The practice of using File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

 

Edit - I had a fellow YTer get this and the dropper was a torrent file.

The practice of using File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

 

 

You know that, I know that, however my fellow gamers are still oblivious to that. 

You know that, I know that, however my fellow gamers are still oblivious to that.

Then I say they need to take some responsibility and educate themselves or stop whining every time their machines get infected.

Could someone please post the IP ranges, that Tesla Crypt uses ?

 

And would it be safe for me to reboot with my LAN disabled so I can do a backup to external media ?

 

Tesla Crypt and Crypto Locker-like malware cannot lie in wait, to encrypt my external media, can it ?

It would be my recommendation to do a backup from a bootable linux distro rather than boot to safe mode or with lan disabled on the infected machine etc. I am not certain of the ip rangest Tesla Crypt is using.

 

Don't forget to scan that backup for virus related files before moving any data back into production.

Edited by zingo156, 13 March 2015 - 07:51 AM.

Could someone please post the IP ranges, that Tesla Crypt uses ?

The only non-tor IP address that is under the malware devs control is 50.7.138.132.
 
It also performs lookups on the following legit urls:
 
bitcoin.toshi.io
blockchain.info/address/%s
ipinfo.io/ip
 

And would it be safe for me to reboot with my LAN disabled so I can do a backup to external media ?

I don't see an issue.
 

Tesla Crypt and Crypto Locker-like malware cannot lie in wait, to encrypt my external media, can it ?

 
No, this does not hibernate and attack later. Once installed it goes for your files.

We had a client get this on her computer 3 days ago. We have dealt with Cryptolocker and Cryptowall. We have been fairly successfully using backups from shadow copies and Backup Exec. This last client got Teslacrypt on an administrators computer and she logged into her computer with her domain admin rights. This gave the virus full access to all shares and all shadow copies. Backup Exec has been failed since December. The client has now lost all of their documents form this year. Two questions, 1. Has anyone been able to successfully decrypt these .ecc files. 2. Has anyone successfully paid the ransom. 

No way to decrypt for free unfortunately and we have had no reports of anyone paying the ransom yet. Overall, this is not a widespread ransomware compared to ones like CTB-Locker (Critroni), CryptoWall, and TorrentLocker. So we dont have as much feedback as of yet.

The game targeting is the "sensationlism" of this ransomware, even though people forget that their normal data is still getting trashed too. That's the bigger disaster..not the game files.

Any indication whether browsing the web as a non-admin user could help prevent TeslaCrypt and other such ransomware from doing any harm?

Any indication whether browsing the web as a non-admin user could help prevent TeslaCrypt and other such ransomware from doing any harm?

 

This type of ransomware will work on non-admin accounts and will encrypt all the files target by the malware that are accessible to that user.

When the malware is running only using an account without Administrator privileges, I will say the changes of recovery data are bigger because in that case the malware will fail running the vssadmin command used to delete the Windows Shadow Copies.