Cybercriminals have pocketed substantial payments from victims infected by TeslaCrypt, a relatively new ransomware threat known for being distributed through the Angler Exploit Kit (EK). Between its emergence in February and April 2015, attackers extorted $76,522 from 163 victims, researchers at FireEye found.
TeslaCrypt, also known as AlphaCrypt, has previously been observed targeting online gamers by encrypting their game files. In March, Bromium Labs revealed that the ransomware family claimed to be a new version of CryptoLocker, though analysts believed it was most likely a re-brand. The TeslaCrypt variant observed at the time targeted 185 file extensions, most pertaining to video games, while some encrypted iTunes files, images and documents.
In a Friday blog post, FireEye principal threat intelligence analyst Nart Villeneuve, said that researchers set out to examine “the lesser-known aspects” of the ransomware – its use of Bitcoin for ransom payments and its global impact.
“We tracked the victims' payments to the cybercriminals—available because the group used Bitcoin,” he explained, adding later that, of the 1,231 known victims scattered across world (in the U.S., Iran, Spain, Brazil, Argentina, Germany, Croatia and Mongolia), 163 paid the ransom.
“Some feared being expelled from school or fired by their employers if they are unable to retrieve their files. Fathers and mothers were devastated by the loss of family photos. The TeslaCrypt ransomware also affected nonprofits, including an organization dedicated to curing blood cancer, as well as small businesses. Many of the victims were simply unable to afford to pay the ransom and gave up,” Villeneuve wrote.
While 163 victims paid the cybercriminals in attempt to retrieve their files, 263 individuals interacted with the cybercrime group, Villeneuve said. Some even tried to bargain with the criminals to pay a lesser amount.
In response to the uptick in ransomware infections and number of threats impacting users, several security firms have created tools that decrypt files encrypted by ransomware, like TeslaCrypt, CryptoLocker and TorLocker; but “cybercriminals will keep innovating, and these tools can only go so far,” Villeneuve wrote.
“Individuals and small businesses should consider taking the basic steps larger firms take to protect their information. Keep software and firmware up to date, be aware of the websites that you browse, use spam filters, and make regular backups,” he advised.