Previous part: The Children of CryptoLocker, Part 1
The first examples of malware that encrypts files and then demands money for decryption appeared a long time ago. Just remember Trojan.Xorist with its primitive encryption algorithm based on XOR, or Trojan.ArchiveLock written in PureBasic, which used regular WinRAR for encryption and Sysinternals SDelete for deleting encrypted files, and demanded as much as five thousand dollars for decryption. However, it was CryptoLocker that established the bad trend among virus writers to use the latest achievements in cryptography as quite stable encryption algorithms. Today, we will investigate several encryption-based trojans which emerged after the notorious spread of CryptoLocker on the internet (or at the same time).
The first samples of this malware appeared in November 2014 (the first sample was uploaded to virustotal.com on November 11, 2014). However, TeslaCrypt became widespread soon after, at the beginning of March 2015. During its existence, this locker changed several times, and the latest version is TeslaCrypt 2.0.0.
TeslaCrypt selects many types of files for encryption (around 200), gaming file types have also found their way onto the list (saves, user profiles, etc.):
Bethesda Softworks settings file
F.E.A.R. 2 game
Steam NCF Valve Pak
Call of Duty
Assassin’s Creed game
Leagues of Legends
DAYZ profile file
RPG Maker VX RGSS
World of Tanks battle
Unreal Engine 3 game file
Starcraft saved game
S.T.A.L.K.E.R. game file
Dragon Age Origins game
The encryption scheme itself changed from one version to another. Initially, it was an implementation of the AES-256-CBC algorithm, with the decryption key saved in the "key.dat" file until all files are encrypted (after encryption of the last file, this key is erased with zeroes).
In later versions (in particular, 0.4.0), the decryption key was saved in the "storage.bin" file not in open form, but modified with a digital signature algorithm with elliptic curves (sample called secp256k1) and erased with random bytes after encryption of the last file.
In later versions (TeslaCrypt 2.0.0), the encryption algorithm became much more sophisticated. Probably the authors of this trojan looked at Critroni's encryption mechanism and copied it for their creation almost unchanged. All algorithms are implemented with a freely distributed "cryptlib" library of, presumably, version 3.4.1 (the locker's body contains the lines with names of the source files from this library:
ec_key.c, etc.). The difference in TeslaCrypt algorithm implementations from their implementations in CTB-Locker is that session keys are not generated for each file, but for the current computer session (until the next reboot).
Before encrypting the files, TeslaCrypt deletes all system backups (shadow copies) of the victim's files with the command
vssadmin.exe delete shadows /all /quiet
Vssadmin.exe is a utility that allows you to administer Shadow Volume Copies. (Volume Snapshot Service or Volume Shadow Copy Service). This service is used in the standard system recovery process and in different backup copying/data archiving software (Handy Backup, Leo Backup, etc.). Some encryption-based lockers use this utility to delete all created shadow copies, which, naturally, makes it impossible to recover encrypted files. As a rule, in this case the command looks like
vssadmin.exe delete shadows /all /quiet, where the
delete shadows parameter refers to the deletion of shadow copies, the
/all parameter says that all shadow copies must be deleted, and the
/quiet parameter means that all the performed actions must be unnoticed by the user, without displaying any messages.
TeslaCrypt 2.0.0. saves the information required for work in the register (and not in the files, as before). The trojan's identifier is saved in
HKCU\Software\<trojan ID>\data is used to store the number of the Bitcoin wallet, the master-public public key, the ECDH algorithm's shared secret and other service information (neither master-private nor session-private are saved anywhere).
An interesting feature of the latest TeslaCrypt version is that the ransom demand message is not displayed in a GUI window but as an HTML page which is copied from CryptoWall (interestingly, TeslaCrypt disguises itself as the infamous CryptoWall — evidently, to scare the victim even more).
Connection with the command server
The body of the trojan contains a statistical list of C&C addresses. The servers themselves are located in the Tor network, but communication is performed with tor2web services (to2web.org was used in the sample under investigation).