White Paper
3
TeslaCrypt Uncovered – Thomas Roccia
Introduction
Cybercrime and malware are becoming more and more complex to steal more money. We recently saw
an increase of ransomware cases. Ransomware is a malware that hijacks your data in exchange of a
ransom. At the beginning ransomware were not sophisticated and did not use encryption. The access
to the computer was only blocked but data could be recovered, we talked about “Locker Ransomware”.
Then attackers improve their techniques with the use of encryption, “Crypto Ransomware”. These kind
of ransomware targets specific valuable data stored on the computer and encrypt data with strong
encryption algorithm. Making thereof unusable without the decryption key.
Ransomware attack is a very successful attack, and allows attackers to steal lot of money with a minimal
risk. Coupled with the development of anti-analysis technique, the complexity of this malware is still
growing.
This paper talk about a short analysis of TeslaCrypt v4, the last release of infamous ransomware.
Teslacrypt Presentation
TeslaCrypt is a ransomware released for the first time in February 2015. It finds and encrypt your data
then print a message to inform you that your data has been encrypted and is unusable unless you pay
to get the decryption key.
The first releases of TeslaCrypt were not properly built. As the encryption algorithm was not correctly
implemented security researchers were able to create decryption tools.
In November 2015, the TeslaCrypt version 2 had also some issues, attackers released the version 3 in
January 2016 to correct these issues. With this version, the data was not recoverable.
Then in March 2016, the last version released: the version 4. With this version the encryption files keep
their original extension and a new name is implemented to the recover files.
This latest version don’t allow to decrypt files. TeslaCrypt is now stronger than ever.