TelsaCrypt Analysis

Ransomware Malware can be delivered in emails sent directly to a unsuspecting recipient or in a Drive by from a compromised website via  an Exploit Kit. Exploit Kits scan a users browsers to check their systems to see if its unpatched. Flash has been the most common vulnerability for malware delivery for some time. If the browser is not patched to the latest versions they get directed to a second site referred to as a Gate and finally a Malware site where the file gets served.

Detonation of the malware executable

http-pcap

POST Activity after detonation of the malware executable

Persistance is established by injecting a file in the RUN key which is a common technique malware authors use to ensure the malware can’t be removed by AntiVirus.

Regedit-presistance

Persistence is established

Once infected with Ransomware Malware the decryption instructions are dropped in every directory. The instructions are so helpful and as kindly as can be they explain how they are protecting your files. The Victims typically have 48 hours to pay the Ransom or lose their files.

HELP

Instructions 

Recommendations

This is easy to avoid.

  • update your Web Browser
  • Backup your files. If you have a backup it doesn’t matter if your files get encrypted.
  • Don’t pay. Ransomeware is becoming very popular because so many of the victims are paying.
  • Detach your external storage device. The malware will encrypt all files on the PC as well as any network drive or external storage the PC is attached to.

Reference

TeslaCrypt_Malware

HELP.png

The malware file is password protected with the usual password. If you don’t know it email me at admin@packetreport.com

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.