What do developers do after discovering a software vulnerability? Why, patch it, of course. Ironically, criminals have learned that lesson too, as one gang has updated the notorious TeslaCrypt ransomware with new features that are impossible to crack, according to Cisco’s Talos security arm. That means user infected with the latest version (3.01) of the malware can no longer use white hat-engineered software to get their files back. Until someone finds a new solution — and that seems unlikely — victims will have to pay.
Companies like Kaspersky and Cisco’s Talos have reverse-engineered various pieces of ransomware, helping corporate clients and anyone else rescue files without paying. The security community has also developed better detection and distribution disruption methods for the scourge. According to Talos, “this has lead adversaries to iterating and improving upon the previous release of TeslaCrypt.”
We can not say it loud and often enough, ransomware has become the black plague of the internet, spread by highly sophisticated exploit kits and countless spam campaigns.
Previously, it stored the private key needed to unlock files on your own machine. However, after generating the key locally, TeslaCrypt 3.01 transfers it to the bad guy’s server and deletes it from your PC. As a result, “the private key never has to leave the [attacker’s] server and the ransomware uses a different key for each victim,” according to Talos. With the 256-bit key nowhere to be found and impossible to brute force, the only way you can get your files is to pay.
“We can not say it loud and often enough, ransomware has become the black plague of the internet, spread by highly sophisticated exploit kits and countless spam campaigns,” Talos says. Attackers are going after bigger targets that can afford to pay more, with potentially catastrophic consequences, as we saw at a Hollywood hospital. The best defense is to back up your files, but even that might not help. The FBI recently said that “in a new scheme, cyber criminals attempt to infect whole networks with ransomware and use persistent access to locate and delete network backups.”