Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on RANSOM_CRYPTESLA

    • Updated:
    • 3 May 2016
    • Product/Version:
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • ScanMail for Exchange 12.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • Platform:
    • N/A N/A
Summary
TESLACRYPT, detected as Ransom_CRYPTESLA, which appeared at the start of 2015, was initially a clone of CryptoLocker (Ransom_CRILOCK) as seen in its ransomware message while employing "elliptic curve cryptography" for its encryption. It then moved on to use CryptoWall’s (Ransom_CRYPWALL) template.

A unique feature of this ransomware is its support for encrypting gaming-related files. A few examples are games like Minecraft, Starcraft II, and World of Warcraft.

Initially, TeslaCrypt left important files (key.dat, storage.bin) in the user’s machine that may enable the user to decrypt the ransomware-encrypted files. In December 2015, a decryption utility was made public, allowing users to recover their files by generating the decryption key from an encrypted file. This was true for TeslaCrypt 2.2.0 and below. However, a new version (3.0.0) surfaced in January 2016 which fixed this workaround.

Currently, TeslaCrypt 3.0.0 appends the following extensions to the encrypted files: *.xxx, *.ttt, *.micro, *.mp3.

”TESLACRYPT”

Antispam Pattern

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
EXPOSURESpam mail with JS or DOC attachmentAS 21663/1/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
INFECTIONTROJ_CRYPTESLA.SMOPR 11.667.005/13/2016
INFECTIONRansom_CRYPTESLA.SMCOPR 12.365.002/25/2016
INFECTIONRansom_CRYPTESLA.SMJ6OPR 12.363.002/24/2016
INFECTIONRansom_CRYPTESLA.SMJ5OPR 12.359.002/22/2016
INFECTIONRansom_CRYPTESLA.SMA5OPR 12.345.002/15/2016
INFECTIONRansom_CRYPTESLA.SMJ3OPR 12.335.002/10/2016
INFECTIONRansom_CRYPTESLA.SMJ4OPR 12.335.002/10/2016
INFECTIONRansom_CRYPTESLA.SMJ2OPR 12.317.002/5/2016
INFECTIONRansom_CRYPTESLA.SMA4OPR 12.315.002/3/2016
INFECTIONRansom_CRYPTESLA.SMKLOPR 12.311.002/1/2016
INFECTIONRansom_HPCRYPTESLA.SMOPR 12.311.002/1/2016
INFECTIONRansom_CRYPTESLA.SMJ1OPR 12.305.001/29/2016
INFECTIONRansom_CRYPTESLA.SMA2OPR 12.287.001/21/2016
INFECTIONRansom_HPCRYPTESLA.SMDOPR 12.281.001/18/2016
INFECTIONRansom_CRYPTESLA.SMA3OPR 12.255.001/5/2016
INFECTIONRansom_CRYPTESLA.SMA1OPR 12.253.001/4/2016
INFECTIONRansom_CRYPTESLA.SMA0OPR 12.241.0012/29/2015
INFECTIONRansom_CRYPTESLA.SMBOPR 12.231.0012/24/2015
INFECTIONRansom_CRYPTESLA.SMAOPR 12.229.0012/23/2015
INFECTIONRansom_CRYPTESLA.SM1OPR 12.213.0012/15/2015
INFECTIONRansom_CRYPTESLA.SM0OPR 12.205.0012/11/2015
INFECTIONRansom_CRYPTESLA.SMMOPR 12.199.0012/8/2015
INFECTIONRansom_CRYPTESLA.SMOPR 12.189.0012/3/2015
INFECTIONTROJ_CRYPTESLA.SMBOPR 11.693.005/26/2015
INFECTIONTROJ_CRYPTESLA.SM3OPR 11.691.005/25/2015
INFECTIONTROJ_CRYPTESLA.SMAOPR 11.683.005/21/2015
INFECTIONTROJ_CRYPTESLA.SM2OPR 11.671.005/15/2015
INFECTIONTROJ_CRYPTESLA.SM1OPR 11.665.005/12/2015

WRS Pattern (Malicious URL and Classification)

LAYERURLCATEGORYBLOCKING DATE
CLEAN-UPdawnlogistics{blocked}.com/wp-cont/themes/sketch/dbsys.phpDisease Vector1/13/2016
CLEAN-UPyavuzturk{blocked}.com/wp-includes/dbsys.phpDisease Vector1/13/2016
CLEAN-UPelle-ectric{blocked}.com/wp-cont/themes/sketch/dbsys.phpDisease Vector1/13/2016
CLEAN-UPf1autobody{blocked}.com/wp-cont/themes/sketch/dbsys.phpDisease Vector1/13/2016
CLEAN-UPnicasitios{blocked}.com/dbsys.phpDisease Vector1/13/2016
CLEAN-UPtactiva{blocked}.org/installation1/view/database/dbconnect.phpDisease Vector2/3/2016
CLEAN-UPwesthollywooddaloffice{blocked}.com/dbconnect.phpDisease Vector2/3/2016
CLEAN-UP{blocked}198.1.95.93/~deveconomytravel/cache/binstr.phpDisease Vector4/7/2016
CLEAN-UPkel52{blocked}.com/wp-cont/plugins/ajax-admin/binstr.phpDisease Vector3/15/2016
INFECTION46.151.52.231/87{blocked}.exe?1Disease Vector3/2/2016
INFECTIONfirstwetakemanhat{blocked}.com/91.exe?1Disease Vector12/30/2015
INFECTION46.151.52.196/86{blocked}.exe?1Disease Vector12/25/2015
INFECTION46.151.52.197/85{blocked}.exe?1Disease Vector3/2/2016
INFECTION91.224.161.116 /clv002/f32{blocked}.binDisease Vector2/5/2016
INFECTIONarendroukysdqq{blocked}.com/25.exeDisease Vector3/2/2016
INFECTIONarendroukysdqq{blocked}.com/80.exeDisease Vector3/2/2016
INFECTIONarendroukysdqq{blocked}.com/85.exeDisease Vector3/2/2016
INFECTIONarendroukysdqq{blocked}.com/90.exeDisease Vector3/2/2016
INFECTIONartskorat{blocked}.com/html/images/69.exeDisease Vector3/2/2016
INFECTIONbelablebil{blocked}.com/51.exe?1Disease Vector2/15/2016
INFECTIONbelablebi{blocked}l.com/80.exe?1Disease Vector2/13/2016
INFECTIONbelableqq{blocked}. com/80.exe?1Disease Vector3/2/2016
INFECTIONbelableqq{blocked}.com/51.exe?1Disease Vector2/15/2016
INFECTIONbelableqq{blocked}.com/80.exe?1Disease Vector3/2/2016
INFECTIONfernytowd{blocked}. com/69.exe?1Disease Vector3/2/2016
INFECTIONfernytowd{blocked}. com/90.exe?1Disease Vector3/2/2016
INFECTIONfernytowd{blocked}.com/69.exe?1Disease Vector3/2/2016
INFECTIONfernytowd{blocked}.com/69.exe?1Disease Vector3/2/2016
INFECTIONfernytowd{blocked}.com/69.exe?1Disease Vector3/2/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
CLEAN-UP1922FOPR 15233/15/2016
CLEAN-UP1970TOPR 153304/12/16
CLEAN-UP1970FOPR 15273/29/2016
CLEAN-UP1971TOPR 153304/12/16
CLEAN-UP1971FOPR 15273/29/2016
CLEAN-UP1972TOPR 153304/12/16
CLEAN-UP1972FOPR 15273/29/2016
CLEAN-UP1973TOPR 15334/12/2016
CLEAN-UP1973FOPR 15294/5/2016
CLEAN-UP1977FOPR 15354/19/2016
CLEAN-UP1977TOPR 15374/26/2016

DCT Pattern (System Clean Pattern)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
CLEAN-UPTSC_GENCLEANLATEST DCT OPRBUILT-IN

Network Pattern

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
CLEAN-UPHTTP_RANSOM_CRYPTESLA_RESPONSERR 1.10139.001/5/2016
CLEAN-UPHTTP_RANSOM_CRYPTESLA_REQUEST-4RR 1.10151.003/15/2016
CLEAN-UPHTTP_RANSOM_CRYPTESLA_REQUEST-5RR 1.10151.003/15/2016
 
Make sure to always use the latest available pattern to detect old and new variants of Ransom_CRYPTESLA.
Details
Public

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern

OfficeScan

10.6 and above












Update Pattern via web console



Update Pattern via web console












Enable Web Reputation Service*



Update Pattern via web console


N/A
Update Pattern via web console



Worry-Free Business Suite
Standard



N/A

Advanced/MSA
Update Pattern via web console
ServicesN/A
Hosted Email Security








N/A

N/A
Update Pattern via web console
Deep Security
8.0 and above
Update Pattern via web console
N/A
Update Pattern via web console


ScanMail
SMEX 10 and later





N/A



Update Pattern via web console




N/A
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
N/A
Update Pattern via web console
 
*Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Blog

Additional Remarks

  • For OfficeScan

    There have been reports of a CRYPTESLA variant running under UNC path. A hot fix has been released to detect this kind of behavior. Please contact Trend Micro Technical Support to request for OfficeScan 11.0 SP1 Hotfix Build 4828.

  • For Worry-Free Business Suite (WFBS)

    Please ensure that WFBS is updated with the latest service pack release, WFBS 9 SP3. You may download it here.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1113900
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.