Slashdot Mirror

← Back to Stories (view on slashdot.org)

TeslaCrypt Isn't All That Cryptic

Posted by timothy on from the nelson-laugh dept.

citpyrc writes: TeslaCrypt, the latest-and-greatest ransomware branch off of the CryptoWall family, claims to the unwitting user that his/her documents are encrypted with "a unique public key generated for this computer". This coudn't be farther from truth. In actuality, the developers of this malware appear to have been lazy and implemented encryption using symmetric AES256 with a decryption key generated on the user's machine. If any of your machines are afflicted, Talos has developed a tool that can be used to generate the user's machine's symmetric key and decrypt all of the ransomed files.

2 of 52 comments (clear)

  1. Re:Does it matter? by mlts · · Score: 4, Interesting

    It isn't that simple. Some ransomware variants will find the backup device (external hard drive, NAS share, etc.) and zero those out. In fact, if the hard disk is encrypted, malware can just zero out the locations where the volume encryption key is stored, then dismount the drive.

    Other variants will encrypt files, but will transparently allow access them until a point and time where it zeroes out the decryption key and puts up the ransom dialog. This makes backup utilities like Mozy and Carbonite ineffective since they may not have a usable copy.

    For effective backups, one needs a backup server that pulls backups from clients, so malware cannot tamper with already stored files on the server side. However, outside of larger enterprises that use NetBackup on desktops, this isn't something that is often done. On a small scale, one can use Windows Server 2012 R2 Essentials, Retrospect, or a file share from all clients which is mounted by the backup server to copy documents off.

    One also needs to keep good backups since the scrambled files might be around for a long time without someone knowing that they were tampered with. This requires multiple backup rotations and data lifetimes (again something only really found in enterprise-grade backup programs.)

  2. Re:Does it matter? by Anonymous Coward · · Score: 2, Interesting

    Some ransomware variants will find the backup device (external hard drive, NAS share, etc.) and zero those out.

    But you contradict yourself.

    Neither an external hard drive or NAS share is a backup solution, it is instead nothing more than a copy.
    A client PC should not be able to reach the backup device. The backup device reaches out to the PC.

    Of course an online backup device being just another system on the LAN means if your client PC is penetrated, the attacker has network level access to the LAN just like your PC does, and could potentially exploit other non-related vulnerabilities in the backup device to take control of it as well.

    But that is why best practice is to use online backup storage (for frequent backups, bulk HD storage, and ease of access in restoring from them) combined with offline storage such as removable media used to copy the online storage.

    (Also note "online" doesn't mean on the Internet, it means a machine on your network that is always-on)