​TeslaCrypt ransomware alert: watch out for bogus email invoices

Image source: Symantec

Common criminals are putting out feelers to take a share of Christmas budgets this year, Norton antivirus maker Symantec has warned.

A network of criminals using the TeslaCrypt file-encrypting ransomware have cranked up attacks targeting inboxes at the height of the Christmas shopping period.

TelsaCrypt emerged early this year as one more variant of ransomware that encrypts victims’ files and demands around $300 to unlock them. It initially targeted only PC gamers but newer variants also scoured infected systems for files specific to financial and tax software suggesting it was also keen on extorting businesses as well as consumers.

According to Symantec’s security response team, the attackers are sending out “massive volumes of spam emails seeded with the malware”, and are using a variety of subject header cons to lure people into opening as well as dressing up attachments as invoices or documents. Seasoned computer users might not be as prone to falling for the tricks, but they may have family members that are.

The attachment itself is actually downloader software used to install the malware.

“The attachment may have a file extension of .zip or may have no file extension at all. Although disguised as a legitimate document, the attachment is, in fact, a JavaScript file containing heavily obfuscated malicious code intended to evade antivirus scanners. This attached file is detected by Symantec as JS.Downloader,” said Symantec.

“Should the recipient open this attachment, it will download and install TeslaCrypt on their computer.”

There have been several iterations of the TeslaCrypt and the latest version, TeslaCrypt 2.2, will encrypt the user’s files and append their file names with a .VVV extension.

Read more: Google distrusts “widely trusted” Symantec root certificate

“The file extension used changes regularly. For example, the previous TeslaCrypt version (2.1) used a file extension of .CCC,” it noted.

TelsaCrypt 2.2 was released on November 13, according to a user of Bleeping Computer, a computing-focussed forum that has reported extensively on file-encrypting malware.

Microsoft, which operates the world’s most widely used anti-malware platform, reported a surge in detections in August based on its telemetry data, prompting it to add TeslaCrypt to its malicious software removal tool (MSRT) in October.

As with the current outbreak, detections dropped off after the initial spike, but remained higher than pre-spike levels.

Read more: Australians overconfident on security prowess despite surging toll of breaches

Danish security firm Heimdal on Friday reported it had also seen a “considerable increase in TeslaCrypt infections” in the past week targeting companies in Northern Europe.

Symantec’s TeslaCrypt report corroborates Heimdal’s assertion that the main attack vector in the most recent outbreak is spam. Heimdal said that files are encrypted files renamed with the .vvv and .zzz extensions.

Heimdal recommended not paying the ransom if infected and to back up data in the cloud or on an external drive and to never download or open .zip attachments in email from unknown senders.

As to who’s behind the attacks, that’s very hard to tell due to the fact the malware is available to be rented by anyone with criminal aspirations.

“TeslaCrypt is commodity malware and can be purchased on the underground black market. Attack groups pay TeslaCrypt’s authors for use of the platform and possibly also for access to various distribution channels, such as spam botnets or exploit kits. Because of this, it is difficult to identify any one perpetrator responsible,” Symantec noted.

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

For full terms and conditions click here.

Start survey NOW!


Join the CSO newsletter!

Error: Please check your email address.

Tags Norton antivirus makerVVV extensionsymantecsoftwareransomwaremalware​TeslaCrypt

More about AppleCSOGigamonMicrosoftNortonSymantecVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place