​After spike in Windows infections, Microsoft steps in to tackle TeslaCrypt ransomware

A rescue tool is Microsoft's response to a spike in file-encrypting Tescrypt ransomware infections on Windows machines.
Written by Liam Tung, Contributing Writer
The TeslaCrypt ransomware targets files related to financial and tax software.
Image: Shutterstock
Microsoft has released a rescue tool for thousands of Windows machines that were infected in August by file-encrypting ransomware TeslaCrypt.

Along with yesterday's 'Patch Tuesday' updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt, or Tescrypt as it calls it.

Microsoft's Windows telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day earlier that month to over 3,500 on August 24.

"After the spike, detections spiked and fell but overall have remained higher than before that first peak in late August," Microsoft noted.

The malware is typically delivered in the payload of several exploit kits, including Angler, the estimated $60m-a-year automated hacking operation that Cisco disrupted earlier this month.

The August spike coincided with a report from security firm Malwarebytes detailing a widespread ad-malware, or 'malvertising' campaign in late August, which served up the Angler exploit kit to visitors of a number of popular news websites, including Microsoft's MSN.com.

TeslaCrypt appeared on the radar in early 2015, gaining notoriety for targeting gamers. After an infection, TeslaCrypt searches for specific file types and then encrypts them with AES 256 encryption and demands payment in Bitcoin in exchange for a key to unlock the files.

As Microsoft notes, what separates TeslaCrypt from other ransomware is that it also targets files related to financial and tax software.

Microsoft's September data shows that the US has the largest number of TeslaCrypt infections, accounting for 39 percent, followed by the UK, which represents 6.5 percent, and Canada at 5.9 percent.

The addition of TeslaCrypt to Microsoft's malware removal tool offers an additional rescue option to a decryption tool from Cisco's Talos Group and another rescue kit released in May.

However, Microsoft noted that earlier variants of TeslaCrypt stored the private key as a file on the machine itself, allowing victims to use Cisco's Talos TeslaCrypt Decryption Tool to decrypt their files with the locally-stored private key.

But recent variants store the key in the registry as binary data, it added. This shift in tactic was noted by Kaspersky in a detailed report on TeslaCrypt version 2.0, which presents itself to victims as CryptoWall -- probably, Kaspersky researchers guessed, to spook victims into paying since files encrypted with CryptoWall still cannot be decrypted.

Microsoft emphasized that the best defence against ransomware is 'pre-defence', meaning backing up files in disconnected or remote storage.

Read more

Editorial standards