14 DAY TRIAL // A new piece of ransomware with file-encryption capabilities has been identified by security researchers, who found that it borrows elements from two other crypto-malware, TeslaCrypt and the now infamous CryptoWall.
Dubbed AlphaCrypt, the malware uses a ransom message that may fool some users into believing that their files have been encrypted with TeslaCrypt, for which researchers at Cisco have already developed a decryption tool.
One variant of AlphaCrypt is currently distributed through Angler exploit kit, which was hosted on destinazione.grippertires.net.
Shadow copies are deleted, decryption service hidden in TOR
However, the differences discovered by security experts at Webroot determined them to place it under a different family. One variation is AlphaCrypt’s ability to delete the file backup copies created by Windows via the Volume Shadow Copy Service (VSS).
This routine ensures that the encrypted files cannot be recovered unless the user pays the ransom fee.
“Payment is similar to recent variants - bitcoin through layered tor browsing. Not using a money mule like ukash or moneypak allows the authors to maximize thier earning power and anonymity. They can just take the full ransom amount and put through a bitcoin mixer that will use sophisticated algorithms to scramble it through millions of addresses and completely ‘clean’ the money,” Webroot’s Tyler Moffitt says.
Proxies are provided, but Tor browser may still be needed
Victims do not necessarily have to install the Tor browser to access the payment website set up in Tor anonymity network, as the cybercriminals make use of services that intermediate the connection to the secret server straight from the regular Internet.
However, the addresses listed in the ransom message may not work at all times, and the user will still have to install Tor browser and access the decryption page.
The connection with CryptoWall consists in the fact that AlphaCrypt creates new instances of common window processes for the encryption routine (advertises the RSA cryptosystem with a 2048 key), Moffit says.
The differences observed by the researchers from Webroot confirm the findings of Brad Duncan published on his Malware-Traffic-Analysis blog, where he says that AlphaCrypt is actually a clone of TeslaCrypt, which is a clone of CryptoWall.
Keeping safe from this threat requires an updated antivirus product, but this may not be sufficient if a new variant emerges. To counter the risk, users are advised to create backups for their files (at least for the most important ones) and store them in a safe place, either completely disconnected from the main computer or with strong access restrictions.
