Ransomware “Tesla”: Are ransomware writers kidding us?

Most of us have probably seen e-mails like the one below in our inbox at one point or another:

phising

This is basically the typical phishing email sent out by cybercriminals. They want to get the victim with “evil” social engineering: In order to succeed they try and make the user open the invoice using scare tactics like unpaid bills, invoices, lost packages, and so on. The icing on the cake is the attached copy of the “invoice” so it can be opened ASAP.

In comparison to the other phishing emails we received before, they don’t insert the original “Tesla” ransomware file anymore. Instead they put an obfuscated JavaScript file inside the archive. Cool! That makes them more flexible than ever before.

java_obf

The obfuscation is a pretty good one from my point of view. It doesn’t allow anyone to understand what’s going on. But nothing is perfect … enough ;-). It may take several tries but you can decode the script. This easy decryption leads me to the conclusion that they have automated its creation. Well, it seems that even the world of the criminals is changing.

An interesting fact is that to deploy ransomware, no knowledge of any programming language is needed anymore: Everything is offered ready to go on the darknet for anyone who is willing to pay. You can read a cool article I wrote on this topic over here.

java_dec

But let’s get back to the malicious script. It’s just a downloader. It shows the download source for the “Tesla” ransomware, where it will be stored on the system (e.g. %temp%), and it also takes care of running the binary after running some “quality checks” like file size.

Interesting? I believe so, because the criminals have changed the way they ensure that the ransomware is downloaded to the victim’s computer. They now also have the possibility to use different URLs as sources. And, last but not least, it seems to be easier for them to deploy new scripts than to make adjustments to the binary itself when it comes to by-passing antivirus solutions in order to stay undetected. With more samples to choose from they have more possibilities to successfully infect your device.

 “Dear ransomware writer, is that really it? Is there nothing more or are you just kidding us?”

You might be confused about the last sentence, but let me explain: Once we analyzed the Tesla ransomware file in more detail, it seemed like they didn’t invest any additional time in their “Tesla” ransomware files itself. The latest and newest binaries which we have received and analyzed are already covered by our detections from more than three years ago! That’s friggin’ old-school  🙂 !

how to restore small

“And thanks a lot, dear ransomware writer, for helping us to spread our Avira product!”

Nope, that’s no joke. We’ve also seen that – after executing yet another script –  instead of the Tesla ransomware binary, the latest Avira launcher is being downloaded. We know that they took our launcher and put it on their commanding control server.

launcher

Please note: You should know that we NEVER collaborate with cybercriminals or force something like this! We also don’t spread malware with our launcher! But we want to say thanks to everyone who wants to promote our product for better protected world detections nonetheless! 🙂

In the end it shows us once again how strong our detection pattern is when it comes to daily threats. It’s funny to find “new” samples which we’ve already been detecting for more than 3 years. But anyway, don’t forget our Avira Protection Cloud: in combination with our main antivirus, it becomes a powerful tool and a much stronger protective shield! So, ENABLE the Avira Protection Cloud in our product – and live free.

Team Leader Virus Lab Disinfection Service