TeslaCrypt A New Ransomware For Gamers

Rather than bombard you with all of the new ramsomware versions that come out (after the success of CryptoLocker there have been far too many copycats to mention) we've attempted focused on the new versions that are deviating from the standard either because there are work arounds or their targets / delivery are unusual.  This week brings us one of those unusual cases...

TeslaCrypt has been discovered by Fabian Wosar of Emsisoft; TeslaCrypt is unusual because it is very specifically targeting over 40 different video game related files.  The target games include, MineCraft, Call of Duty, World of Warcraft, RPG Maker, World of Tanks, Dragon Age, League of Legends, StarCraft, and Steam.


Most ransomware, prior to TelsaCrypt, has targeted images, documents, and videos.

Another interesting change with TeslaCrypt is for the first time we're seeing PayPal My Cash cards being accepted for the ransom payment.  PayPal My Cash cards can be purchased at CVS, Dollar General, RiteAid, Family Dollar and Freds. After purchasing the card you login to your PayPal account and using the PIN on the back of the card apply the funds to your account.

Paying with a PayPal My Cash card is more expensive than paying with Bitcoins - $1000 vs. $500 USD. This is likely for two reasons, the first is using PayPal they are risking having PayPal confiscate their ill-gotten gains and second if you've ever tried to purchase Bitcoins it's not that simple and takes several days. So if you want to get your files unencrypted now you might pay the premium through PayPal.  The latter would seem to work best in the case of a mission critical business server, but if you have the money and just can't stay away from World of Warcraft it might work on you too.

Image courtesy of Bleeping Computer Image courtesy of Bleeping Computer

Like so much of the ransomware the standard red screen with a shield on the upper left is used to let you know your computer is infected.

Where the name TeslaCrypt came from is anyone's guess, although it is a name they gave themselves, see the screenshot.  Perhaps they are hoping to be as successful as Tesla.



Malicious Email Disguised as Microsoft Volume Licensing

This email appears perfectly legitimate although it's consequences could be devastating to a business!

Most businesses use some version of Microsoft and are aware of licensing requirements, even when they don't know the specifics of their licenses.  So when an email arrives appearing to be from Microsoft's Volume Licensing Service Center and it is properly addressed to the business owner or other correct recipient within the company, most are likely to view it as legitimately from Microsoft.

Take a look at the example of this scam below.  All the company and owner specifics are correct, although yes we redacted the actual business information, and as this company uses Microsoft products the owner immediately thought - I had better figure out what this is all about. MS_Licensing

Helping to add legitimacy to this email, in the case of this business owner, is they are in the process of an expansion and are actively acquiring hardware and software, including some Microsoft products.

So what happens when the unsuspecting victim clicks on the link?  That's where this rouse gets even more convincing.  Upon clicking the link two things happen.

First a web browser does indeed open the main page of the Microsoft Volume Licensing Service Center.  Well that definitely looks right.


Second a prompt to download and save a file also opens. The prompt is right next to the Microsoft page so this is clearly a download from Microsoft.  Except it's not.  The download is a zip file.  As we've said over and over and over if you aren't expecting a zip file, don't save it and absolutely don't open it.

"But I thought it was from Microsoft..."

Once the zip is extracted and the program file is run it pretends to be a Screen Saver, which is an interesting choice.  With monitors just going to sleep these days less and less people use screen savers so it's planting the infection in an unused portion of most people's computers.

While we didn't take the testing further, and the link in this email has been taken down preventing further testing, the download came from a Polish domain and is likely either a variant of the Dyre Malware which has previously been noted to hide as a screen saver or another method of delivery of one of the numerous versions of ransomware currently causing trouble all across the Internet.

The lesson here is the importance of vigilance. Hovering over the link before clicking shows this goes to a .pl (Polish) domain and right there no matter how good the email looks it's obviously fake. Or the moment you're prompted to do anything with a zip file that you weren't expecting either just delete it or if you believe the sender is legitimate call or email to verify the zip before extracting.


A New Year Brings With It New Ransomware

It's a new year so naturally a new ransomware infection has been found attacking computers and networks.  PClock has been discovered masquarading as CryptoLocker.  See image below.  PClock attempts to name itself CryptoLocker, more as a scare tactic than anything, however it has been named PClock from the project name found in it's executable file.


It is not currently known how PClock is distributed. Once installed it attempts to only encrypt certain files types, specifically photos, videos, word processing and spreadsheet files. After encryption is complete PClock changes your desktop background to the ransom screen and provides a 72 hour count down clock for the victim to pay the 1 Bitcoin ransom.  Bitcoin is down a bit today, currently trading at 1 Bitcoin to $267.23 USD.

PClock regularly queries blockchain.info to determine if your payment has been received.  If a payment is received it then automatically transforms itself into the decryptor and prompts you to decrypt your files.

Interestingly if you do not pay within the 72 hours you receive a file, last_chance.txt, that tells you to download the malware again and claims to give you an additional 3 days to pay.  I have not seen any security firms who have actually tested that particular "feature".  


Aside from calling itself CryptoLocker and using a shield as it's image PClock and CryptoLocker don't have much in common.  In fact PClock has a very important difference from CryptoLocker, thanks to the hard work of some in the technology security industry at Emsisoft you won't need to pay to decrypt your files, nor have an enterprise backup running.  This is generally not the case with most ransomware infections, however in this case Emsisoft has called PClock "quite primitive by nature" and it's creators "amateurs at best."  Emsisoft has been able to provide a decryptor saving anyone unlucky enough to get this infection.  

Read more about PClock on Emsisoft.com.  Or if you need a help using the decryptor call you local IT support.


There's No Such Thing As Free Wifi

There's no such thing as a free lunch is as true today as when it was first written in the 1930s, as well as it's likely origin in the once common practice of saloons in America offering a "free" lunch to any patron who purchased at least one drink.

Today, you can take that adage and attach it to a number of scenarios in technology.  There's no such thing as free email. There's no such thing as free software. And the one we're talking about now - There's no such thing as free wifi.

We'll skip the obvious part about how you paid for the hotel room with "free" or complimentary wifi, or the Starbucks you purchased to sit and enjoy as you use their "free" wifi, or the "free" wifi now available when you walk through any number of retail stores like Target. Instead we're going to talk about something many people consider much more insidious - Adware injected into webpages on "free" wifi networks.

In 2012 Justin Watt was staying at a Courtyard Marriott in New York. Justin happens to be a web developer and as such is a bit more savvy about what he's seeing on the screen than your average web surfer. When Justin went to use the "free" wifi to access his blog he noticed a colored bar at the top of his page that shouldn't be there. His curiosity was peaked and he viewed the source code for part of the site and, "Sure enough I saw some unfamiliar CSS (including the prefix rxg) and JavaScript that had been injected after the <head> tag." Justin goes on to say in his blog, "And I found some unfamiliar JavaScript after the <body> tag."

Justin was immediately concerned his site had been hacked and began digging through his core files. Everywhere he checked his site was intact and unharmed. After much testing and eliminating possibilities Justin determined, "somewhere between the Internet and my computer, someone is injecting JavaScript into EVERY SINGLE PAGE I LOAD."

Justin did not see this as the final answer rather the next place to look. Using a utility that unpacks packed Java he was able to determine that the primary purpose of this JavaScript injection was ad injection / ad takeover, in other words forcing unwanted ads upon the unsuspecting "free" wifi user.

The next question, at least for anyone techy inclined, was had the hotel's wifi been hacked or was their something more malicious at work?  Could the hotel's ISP be involved?  Had the hotel itself brought in this technology to influence guests? Justin was also concerned about who could be notified, who would care about this invasion?

Computer companies spend a great deal of time removing Adware from computers and as a result users spend a great deal of money paying to have Adware, Malware, Viruses and Ransomware removed from their computers. But this is the cost of being online; the Internet is crawling with things we don't want on our computer and we'd like to believe that when using "free" wifi the company providing it has our best interests at heart and has put security in place to keep our systems safe.  Sadly that's not always the case.

Back to that odd prefix tag "rxg", this is how Justin was able to get to the bottom of the injected JavaScript with the help of one of his blog readers.  It turned out that "rxg" was short for Revenue eXtraction Gateway, made by a Nevada company RG Nets.

From RG Nets site, "...the rXg is the perfect platform for clear communication, authoritative control and complete cognizance over your RGN end-user population."  If that doesn't make you weary of ever using "free" wifi again I don't know what will.  RG Nets site goes on to say, "...profitable IP RGNs extract revenue from the end-user community through a combination of direct and indirect mechanisms."

demo video is available on RG Nets site. A portion of the video transcript, "As you can see the pervasive nature of the advertising banner on all webpages guarantees banner advertising impressions. The RGNets rXg HTML payload rewriting feature is a tremendously powerful tool, with a broad spectrum of applications for Internet marketing programs."  YIKES!

For anyone traveling through Atlanta's International Airport they are listed as an RG Net rXg success story, so be wary of what you see on our screen with that "free" wifi.  A local Nevada success story is the Peppermill Hotel & Casino where the rXg is "...used to advertise resort amenities, restaurants, gaming specials and events." At the Peppermill the rXg is also used to charge for different levels of access including, casino patron, convention attendee or exhibitor, and overnight guess access.

While the Marriott came out shortly after Justin posted his blog and said, "...this functionality has now been disabled." this article does not appear to have harmed RG Nets, although it appears to purchase an rXg you must now contact them directly through a contact page on their website.

Screenshots from an RG Nets online brochure.

RGNets1RGNets2                     RGNets3

Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

800 South Meadows Parkway

Suite 600

Reno, NV 89521

Log in or Sign up