Tweet
TeslaCrypt holds games hostage unless you pay $500 in Bitcoins.
By Sean Gallagher
If you're a gamer (or anyone else), this is not a screen you want to see. Bromium Labs
Crypto-based "ransomware" has become a lucrative business for cybercriminals. Since the arrival of CryptoLocker on the scene last year, a number of copycat malware packages have appeared to compete in the cyber-extortion market, encrypting victims' photos and other personal files with a key that will be destroyed if they don't contact the malware's operators and pay up. Recently, a new variant has emerged that seeks to raise the stakes with a particular class of victim by specifically seeking out files related to a number of popular PC games, as well as Valve's Steam gaming platform.
The malware, which is a variant of the crypt-ransomware called TeslaCrypt, superficially looks like CryptoLocker. But according to a number of security researchers who have analyzed the malware, it shares little code with CryptoLocker or its more well-known successor CryptoWall.
And while it will also will target photos and documents, as well as iTunes-related files, as Bromium security researcher Vadim Kotov noted in an analysis on Bromium Labs' blog, TeslaCrypt also includes code that specifically looks for files related to more than 40 specific PC games, gaming platforms, and game developer tools. The games include both single player and multiplayer games, though it isn't clear how targeting some of the multiplayer games would affect users other than requiring a re-install.
The games targeted include a mix of older and newer titles — for example, Blizzard's StarCraft II and WarCraft III real-time strategy games and its World of Warcraft online game are targeted. Also on TeslaCrypt's hit list: Bioshock 2, Call of Duty, DayZ, Diablo, Fallout 3, League of Legends, F.E.A.R, S.T.A.L.K.E.R, Minecraft, Metro 2033, Half-Life 2, Dragon Age: Origins, Resident Evil 4, World of Tanks, Metin 2, and The Elder Scrolls (specifically, Skyrim-related files), as well as Star Wars: The Knights Of The Old Republic.
There's also code that searches for files associated with games from specific companies that affect a wide range of titles, including a variety of games from EA Sports, Valve, and Bethesda, and Valve's Steam gaming platform. And the game development tools RPG Maker, Unity3D and Unreal Engine are targeted as well.
These files are all targeted by their file extension, Kotov reported. "Concretely these are user profile data, saved games, maps, mods, etc," he said. "Often it’s not possible to restore this kind of data even after re-installing a game via Steam." Ars has reached out to Valve for comment on what users can restore from online, but hasn't received a response.
Kotov also discovered the delivery vehicle for TeslaCrypt: a WordPress site that had been compromised by attackers, which was (and still is) redirecting site visitors to a page with a malicious Flash component served up by the Angler exploit kit — the heir apparent to Blackhole. The exploit Flash movie, hidden in an invisible banner, attacks Internet Explorer (up to IE 11) and Opera browsers with JavaScript that opens an IFRAME to the Angler exploit page. (Attempts to contact the owner of the site have gone unanswered, and the URL that serves up the Flash attack keeps changing.)
The ransomware "dropper" package performs a scan for a number of virtual machines (including Kaspersky Labs' sandbox, VMware, VirtualBox and Parallels) by checking for telltale driver files. Then it drops a pair of Internet Explorer Flash exploits to download and install the malware—identifying it as CryptoLocker. Like CryptoWall, it uses Tor to communicate with a command and control server, and gives the victim a link to a Tor "hidden service" site—either presented within the malware itself, or reachable through a Tor gateway URL.
And just as with CryptoWall, this TeslaCrypt variant's encryption scheme has yet to be cracked. Once files are encrypted, the only way to recover them at present is to pay the malware's masters. The variant analyzed by Kotov had Bitcoin code directly integrated into the malware to make it easier for victims to pay; other TeslaCrypt variants allow payments via PayPal MyCash cards, making it easier for victims unfamiliar with Bitcoin to pay up—though they may charge a premium for that option.
By Sean Gallagher
If you're a gamer (or anyone else), this is not a screen you want to see. Bromium Labs
Crypto-based "ransomware" has become a lucrative business for cybercriminals. Since the arrival of CryptoLocker on the scene last year, a number of copycat malware packages have appeared to compete in the cyber-extortion market, encrypting victims' photos and other personal files with a key that will be destroyed if they don't contact the malware's operators and pay up. Recently, a new variant has emerged that seeks to raise the stakes with a particular class of victim by specifically seeking out files related to a number of popular PC games, as well as Valve's Steam gaming platform.
The malware, which is a variant of the crypt-ransomware called TeslaCrypt, superficially looks like CryptoLocker. But according to a number of security researchers who have analyzed the malware, it shares little code with CryptoLocker or its more well-known successor CryptoWall.
And while it will also will target photos and documents, as well as iTunes-related files, as Bromium security researcher Vadim Kotov noted in an analysis on Bromium Labs' blog, TeslaCrypt also includes code that specifically looks for files related to more than 40 specific PC games, gaming platforms, and game developer tools. The games include both single player and multiplayer games, though it isn't clear how targeting some of the multiplayer games would affect users other than requiring a re-install.
The games targeted include a mix of older and newer titles — for example, Blizzard's StarCraft II and WarCraft III real-time strategy games and its World of Warcraft online game are targeted. Also on TeslaCrypt's hit list: Bioshock 2, Call of Duty, DayZ, Diablo, Fallout 3, League of Legends, F.E.A.R, S.T.A.L.K.E.R, Minecraft, Metro 2033, Half-Life 2, Dragon Age: Origins, Resident Evil 4, World of Tanks, Metin 2, and The Elder Scrolls (specifically, Skyrim-related files), as well as Star Wars: The Knights Of The Old Republic.
There's also code that searches for files associated with games from specific companies that affect a wide range of titles, including a variety of games from EA Sports, Valve, and Bethesda, and Valve's Steam gaming platform. And the game development tools RPG Maker, Unity3D and Unreal Engine are targeted as well.
These files are all targeted by their file extension, Kotov reported. "Concretely these are user profile data, saved games, maps, mods, etc," he said. "Often it’s not possible to restore this kind of data even after re-installing a game via Steam." Ars has reached out to Valve for comment on what users can restore from online, but hasn't received a response.
Kotov also discovered the delivery vehicle for TeslaCrypt: a WordPress site that had been compromised by attackers, which was (and still is) redirecting site visitors to a page with a malicious Flash component served up by the Angler exploit kit — the heir apparent to Blackhole. The exploit Flash movie, hidden in an invisible banner, attacks Internet Explorer (up to IE 11) and Opera browsers with JavaScript that opens an IFRAME to the Angler exploit page. (Attempts to contact the owner of the site have gone unanswered, and the URL that serves up the Flash attack keeps changing.)
The ransomware "dropper" package performs a scan for a number of virtual machines (including Kaspersky Labs' sandbox, VMware, VirtualBox and Parallels) by checking for telltale driver files. Then it drops a pair of Internet Explorer Flash exploits to download and install the malware—identifying it as CryptoLocker. Like CryptoWall, it uses Tor to communicate with a command and control server, and gives the victim a link to a Tor "hidden service" site—either presented within the malware itself, or reachable through a Tor gateway URL.
And just as with CryptoWall, this TeslaCrypt variant's encryption scheme has yet to be cracked. Once files are encrypted, the only way to recover them at present is to pay the malware's masters. The variant analyzed by Kotov had Bitcoin code directly integrated into the malware to make it easier for victims to pay; other TeslaCrypt variants allow payments via PayPal MyCash cards, making it easier for victims unfamiliar with Bitcoin to pay up—though they may charge a premium for that option.