New Member Of Teslacrypt Ransomware Family Surfaces

This week learn about and OpenSSL vulnerability that allows attacker to access data on servers and another TeslaCrypt Ransomware that's on the loose.

Malware

NEW MEMBER OF TESLACRYPT RANSOMWARE FAMILY SURFACES

Kaspersky Lab has detected curious behavior in a new threat from the TeslaCrypt ransomware encryptor family. Malware from the TeslaCrypt family is distributed using exploit kits such as Angler, Sweet Orange, and Nuclear.

This method of malware distribution works as follows: When a victim visits an infected website, an exploit’s malicious code uses vulnerabilities in the browser, typically in plugins, to install target malware on the target system.

In version 2.0 of the Trojan notorious for infecting computer gamers, an HTML page is displayed in the web browser, directly mimicking CryptoWall 3.0.

When TeslaCrypt infects a new victim, it generates a unique Bitcoin address to receive the victim’s ransom payment and a secret key to withdraw it. Moreover, the secret key with which user files get encrypted is not saved on the hard drive, which makes the process of decrypting the user files significantly more complicated.

References: Kaspersky Blog | Net Security | Secure List

Mitigation Strategies:

Breach

EXTORTION THREAT TO VIRTUAL SERVERS FROM RUSSIAN GUARDIANS

Law enforcement partners informed CERT-UK of a number of incidents in which companies have had their virtual servers wiped and the contents held ransom by actors calling themselves the Russian Guardians.

It appears that the actors use a vulnerability in OpenSSL to gain access to virtual servers. VMware released an advisory confirming that some of its products, in particular ESXi, are vulnerable to this type of attack.

Once they gain access to the server, the actors seemingly remove all data present and leave behind a single file with a message demanding that payment be made in exchange for the safe return of the server contents. There is some discussion in online forums that, in many cases, the length of time the actors have access to a server would be insufficient to remove all the data.

References: Threat Post | Pipal | Spiceworks Community

Mitigation Strategies:

Top 20 IP Addresses

122.224.54.104 – NEW 82.221.128.206
23.253.206.184 – NEW 118.98.104.21
118.244.216.37 – NEW 91.121.179.219 – NEW
70.167.210.155 – NEW 104.243.129.210 – NEW
193.189.116.52 – NEW 104.130.243.25 – NEW
204.110.219.160 67.192.122.132
204.232.241.139 – NEW 193.201.224.186 – NEW
46.4.94.239 – NEW 45.58.124.18 – NEW
222.186.21.41 – NEW 746.4.94.230 – NEW
162.222.127.13 – NEW 5.79.64.197 – NEW