14 DAY TRIAL // We reported last week about the first signs of a new TeslasCrypt ransomware campaign that was slowly starting to shape up. Now, after only a few days have gone by, it appears that initial reports are correct, and we are in the midst of a large-scale TeslaCrypt attack.
As initially reported, the first signs started to appear on the Bleeping Computer forums, where users were complaining about TeslaCrypt ransomware.
A further investigation by Heimdal Security revealed the dangerous spam-powered campaign behind these infections, which at that time affected mostly users in Scandinavian countries.
The campaign escalated during the past week
Multiple times during this current week, several other cyber-security vendors also mentioned a rise in TeslaCrypt detections, but today ESET's team published an in-depth technical write-up on the new campaign, also confirming Heimdal's initial research.
The infection chronology is simple and as follows:
☺ Users receive a spam email about an unpaid invoice ☺ Users download the email attachment, booby-trapped with the Nemucod trojan ☺ Users unzip the archive and Nemucod uses JavaScript to download an EXE file from the Internet ☺ The EXE file is executed automatically ♥ The TeslaCrypt ransomware is installed.
According to ESET, during the past days, the company's security products detected and stopped numerous of these infections, from all around the world, but mostly in Japan.
ESET reports that at one point, for a span of two days, 75% of all malware detections in Japan were related to this Nemucod-TeslaCrypt campaign.
Similarly high numbers were also reported in Italy with 30%, Spain with 23%, the US with 15%, Canada with 15%, and Argentina with 14%. Globally, the detection rate for this campaign was of 10%.
"The fact that the numbers of affected users has not been as high as previous ransomware campaigns despite the elevated number of detections is good news," says ESET's Josep Albors. "It means that the users are using protection measures capable of detecting new threats and it can also mean that they are not executing suspicious files attached to emails as the one we’ve analyzed."
