Recently, it has been reported that a Trojan that is also ransomware called Cryptesla 2.2.0 downloads itself through an Adobe Flash vulnerability. It is better known as TeslaCrypt and encrypts files in a .vvv file format. In its latest installment it is distributed through the Angler Exploit Kit and has also compromised a WordPress blog related to The Independent.
|Short Description||This ransomware is part of the TeslaCrypt family. It is distributed via a massive malware campaign using unpatched vulnerabilities of sites and plugins.|
|Symptoms||The Ransomware encrypts files and adds a .vvv extension to them. It creates files with decrypting instructions in almost every folder and creates a new ransom note.|
|Distribution Method||Email Attachments from Spam Emails, Suspicious Sites, Exploit Kits|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Cryptesla 2.2.0|
|User Experience||Join our forum to discuss Cryptesla 2.2.0 Ransomware.|
The new ransom note looks like this:
Cryptesla 2.2.0 Ransomware – Distribution Methods
The newest and most effective method of distribution for the Cryptesla 2.2.0 ransomware is through a vulnerability in the Adobe Flash Player. If you have a slightly older version of it, the Trojan automatically downloads TeslaCrypt, although it’s known to download CryptoLocker as well.
Another method of distribution is if you download an email attachment from an email that looks legitimate. This is one of the many emails that are reported to spread the ransomware:
Please review the attached copy of your Invoice (number: NI237483478) for an amount of $500.32.
Thank you for your business.
The name of the attachment can be copy_invoice_89518498.zip and inside a file can be found with the http://softextrain64.com/86.exe name. Most likely, there are other variations.
It may also be distributed by other malware from visiting suspicious websites or social networks and file sharing services.
Cryptesla 2.2.0 Ransomware – Technical Description
Once executed, the latest Cryptesla 2.2.0 ransomware will search for files with extensions known from previous variants:
→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
After Cryptesla 2.2.0 threat finds files with these extensions, it will encrypt them with the extension “.vvv”. This variant is known to use RSA-2048 bit encryption algorithm.
The Trojan creates these registry entries:
svv_e = “%Application Data%\[random filename].exe”
*svv_e = “%Application Data%\[random filename].exe”
It does so to enable its automatic execution at each system startup.
It will also delete Shadow Volume Copies:
→%System%\vssadmin.exe delete shadows /all /Quiet deletes shadow volume copies
So, decryption is only possible, by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its Internet traffic and Internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. Another way to get your files back is to restore them if you have backups on an external storage device. The new ransom note looks like CryptoWall’s and CryptoLocker’s one. It is known to demand a sum like 500$ at first. We advise you to not pay the ransom, as there is no guarantee you will get a decryption key, let alone a working one. The ransomware can create thousands of files with the names: decrypt.exe, decrypt.html, and decrypt.txt, along with the ransom note files Howto_RESTORE_FILES.html, how_recover+abc.txt and how_recover+abc.html.
Remove Cryptesla 2.2.0 Ransomware Completely
To completely remove the Cryptesla 2.2.0 Ransomware from your computer, you should have at least some experience in removing viruses. We highly recommend you to back up your system files. Afterwards, carefully follow the instructions provided here: