Only two months after researchers discovered version 3.0 of TeslaCrypt ransomware, version 4.0 has already reared its ugly head, with enhanced encryption algorithms and the ability to penetrate even deeper into victims' computer files.
Danish cyber firm Heimdal Security profiled the upgraded ransomware in a new security alert, explaining that the software's newly enhanced 4096-bit encryption makes it virtually impossible at this time to crack, not even using the TeslaDecoder tool that was effective against previous iterations. Version 4.0 can also “extract even more data than before from the local machine,” explains the blog post, making it “not only a more severe threat, but also one that is capable of far wider data leakage.”
Data that TeslaCrypt can now access that its previous versions could not include “MachineGuid,” a unique PC identifier; “DigitalProductID,” the Windows operating system key; and “SystemBiosDate,” the current time of the affected PC. In an interview with SCMagazine.com, Morten Kjaersgaard, CEO of Heimdal, said that with access to SystemBiosDate, hackers could theoretically find a way “into the actual BIOS of the machine somehow,” intercepting instructions in firmware that controls input and output operations. Also for the first time, TeslaCrypt recruits affected devices into a central botnet.
Talos, the research division of Cisco that last week published an extensive analysis of TeslaCrypt 3.0, is also closely watching this latest evolution. “Our analysts are taking it apart right now,” Craig Williams, senior technical leader and security outreach manager at Talos, told SCMagazine.com. And by all appearances, “it's significantly different from prior versions.”
Neither Williams nor Kjaersgaard is surprised how quickly the product is evolving, and they actually expect development cycles to become even shorter, making it harder for security experts to keep up. “It's now just like professional software development. You see these guys enhancing features like it was any other product because they're commercializing it to whatever extent they can,” said Kjaersgaard.
As evidenced by recent successful attacks against hospitals, ransomware has proven to be extremely lucrative. Indeed, in new survey study by Intermedia, more IT experts were concerned with the financial impact of downtime as a result of a ransomware attack (55 percent) than with the financial impact of actually paying the ransom (44 percent).
“The reality is that the entire threat landscape has completely shifted due to ransomware, because it's got such a high net income… That's why we've seen the pace of innovation move that quickly,” said Williams.
The upgraded TeslaCrypt ransomware also fixes a significant bug that in previous versions would permanently damage files larger than 4 GB, even if victims paid to get their work product back intact. One might think cybercriminals using TeslaCrypt wouldn't care if victims' files were ruined, but they have learned from experience that if they don't hold up their end of the bargain, device owners won't shell out the ransom in the future. “They're really trying to make it like a product so when you do pay up you get your money's worth,” said Kjaersgaard.