A new ransomware is after young online games and it is said to be targeting over 40 online games. A ransomware is nothing but a malware that targets user files on infected computers. Once the affected files are securely encrypted, hackers who are controlling the malware can demand payment for a private key that can decrypt their victim’s files. The common practice is after a pre-ordained time, the attackers often destroy the decryption key.
The current malware was reported first by Bleeping Computer, a technical support forum with a large community of users. Bleeping Computer has given the malware a name TelsaCrypt. They give credit to Fabian Wosar of Emsisoft for discovering the TeslaCrypt. Bleeping Computer developed a step-by-step guide and comprehensive FAQ on TeslaCrypt ransomware and what to do if you were attacked.
Meanwhile, security firm Bromium Labs issued a report on the threat of this malware, which is characterized as a new variant of CryptoLocker. Dell SecureWorks also published their own TeslaCrypt ransomware analysis.
TeslaCrypt has been targeting files that are associated with following games and platforms:
Single user games
- Call of Duty
- Star Craft 2
- Fallout 3
- Half-Life 2
- Dragon Age: Origins
- The Elder Scrolls and specifically Skyrim related files
- Star Wars: The Knights Of The Old Republic
- WarCraft 3
- Saint Rows 2
- Metro 2033
- Assassin’s Creed
- Resident Evil 4
- Bioshock 2
- World of Warcraft
- Day Z
- League of Legends
- World of Tanks
Company specific files
- Various EA Sports games
- Various Valve games
- Various Bethesda games
Game development software
- RPG Maker
- Unreal Engine
Once on your machine, TeslaCrypt starts to look for particular file types (it can target 185 file extensions). And this is the first ransomware in history which targets so many game-related files.
The current malware is a departure from earlier schemes that mostly aimed at documents, photos, videos and other files from the victim’s machines. TeslaCrypt is using AES encryption to prevent gamers from accessing gaming-related files without the decryption key.
The TeslaCrypt is being spread out by criminals inside the Angler Exploit Kit. These Kits are basically software packages pre-made to compromise the computer systems. They are loaded with exploits for common security vulnerabilities and, like a SAAS industry, attackers are able to pay licensing fees for having access to them.
After a system is infected, the malware totally changes the background of their PCs to a notification that the victim’s files have been encrypted.
The message contains guidelines on how and where users can buy the private key to decrypt their files. The key will cost $500 if the victims want to pay with Bitcoin and about $1000 if they want to pay via a PayPal My Cash card.
Part of this process involves downloading the Tor Browser Bundle. Interestingly, there is a hidden services site where infected users can receive tech support from the malware authors on how to make a payment after which the files are decrypted. The warning also comes with a deadline, after which point the private key would be destroyed and the files will be impossible to recover.
The security warning is similar to that of the infamous CryptoLocker ransomware. Bromium Labs has identified technical similarities between the malwares, but they are quite negligible (only about 8%). However, TeslaCrypt is taking over CryptoLocker’s brand.
The best way to defend against ransomware like this is by regularly performing backups.
Another way of protection from TeslaCrypt threat is by using solid anti-virus software. For example, Kaspersky Internet Security and Kaspersky Total Security are well-equipped with a feature called System Watcher that is particularly designed to protect you from cryptoware. Here’s a short video demonstrating their tools:
Remember that exploit kits offer easy avenues for attackers to load malware into victims’ machines. For many years, BlackHole was a premiere exploit kit. However, it fell out of favor after its author restrained development and he was later arrested in Russia. Since then, Angler has tried to fill the void. It is consistently integrating newest zero days and at the same time exploiting latest vulnerabilities.
And, from your end, you are required to install OS, applications and browser updates. However, the good news are most of exploit kits targets are now identified and security patches are available to fix those vulnerabilities.
Like it or not, a crypto ransomware is here to stay and the bad news is that most of us don’t dedicate our time to backing up our computers. Furthermore, we become more vulnerable to hacker’s attacks as we are connecting more and more things to the internet. Luckily, big online security players develop new tools to help us users not to walk into a hacker’s trap.