Rather than bombard you with all of the new ramsomware versions that come out (after the success of CryptoLocker there have been far too many copycats to mention) we've attempted focused on the new versions that are deviating from the standard either because there are work arounds or their targets / delivery are unusual.  This week brings us one of those unusual cases...

TeslaCrypt has been discovered by Fabian Wosar of Emsisoft; TeslaCrypt is unusual because it is very specifically targeting over 40 different video game related files.  The target games include, MineCraft, Call of Duty, World of Warcraft, RPG Maker, World of Tanks, Dragon Age, League of Legends, StarCraft, and Steam.

Most ransomware, prior to TelsaCrypt, has targeted images, documents, and videos.

Another interesting change with TeslaCrypt is for the first time we're seeing PayPal My Cash cards being accepted for the ransom payment.  PayPal My Cash cards can be purchased at CVS, Dollar General, RiteAid, Family Dollar and Freds. After purchasing the card you login to your PayPal account and using the PIN on the back of the card apply the funds to your account.

Paying with a PayPal My Cash card is more expensive than paying with Bitcoins - $1000 vs. $500 USD. This is likely for two reasons, the first is using PayPal they are risking having PayPal confiscate their ill-gotten gains and second if you've ever tried to purchase Bitcoins it's not that simple and takes several days. So if you want to get your files unencrypted now you might pay the premium through PayPal.  The latter would seem to work best in the case of a mission critical business server, but if you have the money and just can't stay away from World of Warcraft it might work on you too.

Image courtesy of Bleeping Computer

Like so much of the ransomware the standard red screen with a shield on the upper left is used to let you know your computer is infected.

Where the name TeslaCrypt came from is anyone's guess, although it is a name they gave themselves, see the screenshot.  Perhaps they are hoping to be as successful as Tesla.

Some companies are choosing to move from the traditional employer provided laptops and cell phones to a Bring Your Own Device model.  While there are many advantages to BYOD there are also quite a few pit falls and issues to consider.

BYOD for cell phones and smartphones: These seem to be the most frequent devices used when we're talking about BYOD policies. This is also a model that's popular not only with employers, but employees alike. It's a rare employee who misses the days where they had to carry around their personal cell phone and a business cell phone. Beyond the feature of not having to carry around a second phone, most businesses, as a trade off for use of personal equipment, reimburse their employees a portion of their monthly cell service bill to compensate for the additional use.

Employees are in a position to get a larger phone and data plan or a newer phone than they might have purchased without the BYOD policy and the employer is saved the cost of purchasing the actual equipment - generally the phone, charger(s) and case.

Per the IRS guidelines to be reimbursable the employer must require their employees to use their phones "primarily for non-compensatory business reason to use their cell phones for business purposes." As long as the company is meeting that requirement the allowable reimbursement must be "reasonable". That's "reasonable" per the IRS; see IRS notice IR-2011-93 for further reading. Per a local CPA "reasonable" to the IRS would be equal to or less than what the employer would pay to provide their employee with cell phone service. This will vary community to community and industry to industry, hence the term "reasonable".

Then you have BYOD for the, less frequent, use of a personal laptop or tablet in the work environment. This is more likely to be applicable to an outside sales employee than someone who spends all day at a desk in the office. One lesson businesses have learned over the years is that whether intentionally or just due to carelessness an employee is always going to be more careful with what he considers his property rather than his employer's property. In the case of laptops, how often have IT staff and firms seen damage to a company laptop that could only have come as a result of less than quality care taken. I've heard of more than one story where an out of the office employee got in the car daily, just throwing the laptop behind the front seat with no concern for how much the useful life of the laptop was being shortened by his carelessness. It's not his and the company will just buy him a new one when it stops working, right? How much does this attitude cost employers each year in equipment? For companies with a large outside work force, it can cost tens of thousands to replace equipment that just wasn't cared for properly.

You can see how BYOD works in the employers favor for laptops, but how does it work in the employees favor? There are quite a few ways you can make this an advantageous choice for your employees. For starters, a certain amount of IT support naturally comes with BYOD; the amount of support that is included alone can be a good incentive to get employees to participate.

Some companies offer an extra end-of-year bonus to those participating in the bring your own laptop program - they are able to save money on hardware costs during the year and have the ability to pass those savings onto their employees in the form of a thank you for participating type bonus.

Another option is to offer hardware purchases through the company - allowing employees to purchase their laptops through company channels where you may be able to get a lower price or offer your employees the ability to pay the company back for the purchase over a couple of months. This allows your employees to get new hardware and potentially even better hardware than they would have otherwise purchased.

Also offer them an online backup solution - this tackles a couple of problems. Chances are you've already setup your company with an off-site backup and if you haven't that should be on the top of your priority list. Add your employee's device onto the plan and allow them a certain amount of acceptable personal items they can also backup. Something like the Top Speed online backup service is ideal for this scenario. Top Speed online Backup A monthly licensing fee plus $25 per 50Gb online data storage; when grouped into a single account makes this an affordable option for the employer. The employer must have a clear policy on what is and is not acceptable for backing up, as the company can be held liable for any illegal files. This becomes a win win for the employee who has his data securely backed up and the employer has an up-to-date accounting of company information stored on the laptop and quick access to that information in case something were to happen to the laptop such as theft or destruction of the laptop

Another concern with outside laptops is making sure they are properly protected from malicious threats such as viruses and malware / spyware. Webroot a Colorado based security company says that 1/3 of employees using their devices for work don't have any security installed on them. The simple and most cost effective solution is that the employer provides anti-virus software for the employee's laptop. Again a cost savings for the employee, as they don't have to purchase it on their own, and they know they are protected with a quality anti-virus. To take that a step farther some companies also add the laptops and smartphones to their Managed Services as an additional device to be monitored for threats and potential hardware problems. The cost is relatively small to the company and very valuable to the longevity of the laptop. Making sure employees have passwords on their devices and are set for a remote wipe whenever possible. 

Possibly the primary concern for companies in moving to BYOD in a business environment is secure company communications being accessed on a personal device - company email on a smartphone and access to the network on a personal laptop or tablet. For companies allowing access to business materials and communications on a personal device they must make sure that they have a clear policy on how that sensitive data is to be handled as well as what will happen upon termination (whether the employee resigns or is fired). Whether your company is using a BYOD system or owns all the equipment you must have a policy for ending employment - securing data, removing access to emails and the network, etc. But if you also have BYOD policies you need to add a few extra steps.

Extra steps that should be considered are having a written agreement that these devices are included in your company non-disclosure or similar employment agreement, that upon termination all company related documentation is to be deleted from the personal device or some companies are going a step farther and saying upon termination (again either when the employee resigns or is fired) the personal device(s) will be submitted to the company's IT support and company data will be removed by support staff. This is not done in an antagonistic way, but rather it should be made clear that this step protects the company and the employee from intentionally or accidentally allowing access to sensitive material and the employee finding themselves subject to litigation.

All-in-all any company considering the change to a BYOD model needs to make sure they've considered all the pros and cons of the change and if they decide to move forward make sure all the information and the expectations are ready to be provided to employees before the change occurs. There's nothing like a little ambiguity to turn a great idea into a failed procedure.