Sunday 20 December 2015

VaultCrypt: From Russia with Love

During the last several months Ukrainian Cyberpolice recorded many incidents all over the country with VaultCrypt. We decided to shed light on the issue. VaultCrypt is a cryptolocker having the similar to TeslaCrypt scheme using Tor and Bitcoins to pay a ransom, but simpler in implementation.

Tuesday 22 September 2015

TeslaCrypt 2.1 Analysis: Cracking "Ping" Message

At the beginning of September 2015, we discovered a new version of TeslaCrypt - 2.1 in the customer's network. The sample (MD5: b10d45335b8de97e6bc1d5cc9449c323) was loosely detected by the majority of AV signature engines on the Virustotal. The detection rate was 4/57 and can be explained by using code obfuscation, which proved its efficiency. The previous TeslaCrypt 2.0 was already well described by Kaspersky Lab, so we will use the same naming convention for encryption keys as on the Securelist for this post.

Now, TeslaCrypt 2.1 sends extra information in the C&C request in an encrypted way. The list of domains used as “gates” will be presented below with corresponding Yara rule, as well as a mechanism used to encrypt data sent to the remote server, which has not been yet explained anywhere.