TeslaCrypt: Following the Money Trail and Learning the Human Costs of Ransomware

A relatively new ransomware variant, known as TeslaCrypt or Alpha Crypt, emerged in February 2015. Spread via the Angler Exploit Kit, it encrypts a variety of files including those associated with popular online games. The cybercriminals behind this operation demand that victims pay between 0.7 and 2.5 bitcoins, which is about $150 to $500, or $1,000 in PayPal My Cash cards to decrypt their files.

While others have covered the technical details of TeslaCrypt, we examined the lesser-known aspects—the use of bitcoin to pay the ransom and the impact on victims around the globe.  

We tracked the victims’ payments to the cybercriminals—available because the group used bitcoin—and determined that between February and April 2015, the perpetrators extorted $76,522 from 163 victims. This amount may seem trivial compared to millions made annually on other cyber crimes, or the estimated $3 million the perpetrators of CryptoLocker were able to make during nine months in 2013-14.  However, even this modest haul demonstrates ransomware’s ability to generate profits and its devastating impact on victims.

The online correspondence between the victims and the cybercriminals provides context regarding the effect on peoples' lives. The victims were spread across the globe from students in Iran and Spain to regular folks in the United States, Brazil, Argentina, Germany, Croatia and Mongolia. Some feared being expelled from school or fired by their employers if they are unable to retrieve their files. Fathers and mothers were devastated by the loss of family photos. The TeslaCrypt ransomware also affected nonprofits, including an organization dedicated to curing blood cancer, as well as small businesses. Many of the victims were simply unable to afford to pay the ransom and gave up.

Ransomware 101

This year, there has been a rise in the volume of ransomware distribution, as well as the number of different types ransomware. The term 'ransomware' refers to malware that disables the functionality of a victim’s computer or encrypts the victim’s files and extorts the victim for payment to restore functionality. Some ransomware locks the victim’s computer and impersonates law enforcement organizations and informs the user that they have been implicated in illegal activity. The victim is then instructed to pay a fine.

The most prolific are ransomware variants that encrypt the victim’s computer files and demand payment to decrypt them. This threatens individuals, whose personal files and photos are held for ransom, as well as businesses that find shared drives full of essential documents rendered inaccessible.

Cyber criminals spread ransomware through a variety of methods, including sending spam or leveraging botnets to push the malware to compromised computers. Recently many perpetrators have been using “drive by” exploits kits that take advantage of vulnerabilities in popular browsers and plugins to deliver the malware. In this type of attack, cyber criminals compromise legitimate websites or infiltrate advertising networks (malvertising) and insert code that redirects users to a website hosting an exploit kit. Exploit kits typically attempt to detect any vulnerable software on the visitor’s computer, such as old versions of Java or Flash, and then deliver an appropriate exploit that causes the visitor’s computer to download and execute a malicious payload.

Once the malware is executed the victim’s files are encrypted and a pop-up window displays the ransom demand.

Common Ransomware

The common forms of ransomware observed by FireEye include:

  • Cryptolocker – The most prolific of all the file-encrypting ransomware variants, Cryptolocker was first spotted in 2013. It was spread by the “Gameover Zeus” botnet and demands around a $300 to $500 ransom.
  • Cryptowall – Cryptowall emerged a few months after Cryptolocker in 2013 and mimicked its predecessor’s behavior. The perpetrators brought in over $1 million in a six-month period in 2014.
  • CTB-Locker – First seen in 2014, CTB-Locker was the first file-encrypting ransomware that used the Tor anonymity network. It was available for sale to cybercriminals on underground forums.
  • TorLocker – First deployed in 2014 against Japanese users, TorLocker was marketed and sold on the now defunct Evolution marketplace.
  • Kryptovor – This malware steals files from compromised computers but also has a ransomware component that was first seen in 2014. Kryptovor primarily targets businesses in Russia.

TeslaCrypt

After being compromised with TeslaCrypt, the victim is shown a pop-up window with a warning indicating that the computer’s files have been encrypted. They are provided with several methods to access the TeslaCrypt website, including direct web access, a Tor2web proxy, or by installing the Tor browser and accessing the hidden “.onion” address directly.

TeslaCrypt Pop-up Window

The pop-up window includes a bitcoin address and instructs the victim to visit a website controlled by the cybercriminals to input this bitcoin address and make a payment.  

TeslaCrypt Website

Victims use the bitcoin address to pay the ransom and retrieve the decryption keys after making the payment. After entering the bitcoin address, the victim is presented with a ransom notice.

Ransomware perpetrators often require payment in bitcoin because it is, in some ways, less traceable than other methods. Other common payment methods for other ransomware variants include Ukash and MoneyPak.

TeslaCrypt Ransom Page

The cost varies, possibly by region, and the attackers may increase the ransom payment after a period of time. The standard amount in the case of Teslacrypt was 2.5 bitcoin or approximately $550. The victims could also pay $1,000 using PayPal My Cash cards.

TeslaCrypt “Message Center” and File Decryption

The cybercriminals behind TeslaCrypt allow the victims to upload a single file that is then decrypted and made available for the victim to download. The offer to decrypt a single file allows the cybercriminals to demonstrate that they can, in fact, decrypt the files, which probably adds additional pressure on the victims to pay the ransom.

In the case of TeslaCrypt, the cybercriminals have also set up a message center where the victims can communicate with them. The cybercriminals position themselves as “customer support” and help the victims acquire bitcoin and continue to demand ransom. Other ransomware variants typically display an email address so the victims can contact the cyber criminals.

Once the cybercrime group confirms the payment, the victims are given the decryption keys.

TeslaCrypt Decryption Page

The Money Trail

During our investigation of Teslacrypt, we discovered 1,231 bitcoin addresses used by the cybercrime group. This does not represent the total number of victims, but rather those that actually went to the TeslaCrypt website and attempted to decrypt a file. We used these bitcoin addresses to determine whether the victim paid the ransom.

Of these 1,231 known victims, 163 paid the ransom, a rate of about 13 percent. Of the victims who paid the ransom, 139 paid a range of 0.5 to 2.5 bitcoin. Another 20 paid with PayPal My Cash cards, and all but one of those individuals paid the full $1,000  U.S. dollars. Three of the victims pleaded with the cybercrime group, who then provided the decryption keys for free, and one appears to have tricked them by claiming a bitcoin payment that does not appear to have actually taken place.

In total, the cybercrime group collected 254.6 bitcoin, which converted to $57,272 on April 29, 2015 and $19,250 in PayPal cards for a total of $76,522 between Feb. 7, 2015 and April 28, 2015.

The Human Impact

Among the 1,231 TeslaCrypt victims, 263 interacted with the cybercrime group through their messaging system. These messages provide an inside view into the impact on the victims and the mindset of the cybercriminals. The range of emotions from the victims, who have just lost all their files, ranges from anger and bewilderment to a willingness to bargain and desperation. The victims’ comments are in blue; the cybercriminals’ responses appear in red.

Some of the victims use the message center to express their anger, only to be taunted by the cybercriminals who are still holding their files for ransom. The cybercriminals express no remorse.

Others are bewildered by the entire experience. They do not understand what has happened or why all their files are encrypted.

Many of the victims are not familiar with bitcoin and struggle to acquire enough to satisfy the demands of the cybercriminals.

Some of the victims attempt to bargain with the cybercriminals to reduce the ransom. Sometimes they are successful; sometimes they are not.

The loss of critical files has a devastating impact on the victims. With their files held hostage, they are unable to file tax returns or fear that they will be fired by their employer.

In the end, there is no guarantee that the cybercriminals can decrypt the files even after payment. But many are desperate enough that they are willing to take that risk.

Unfortunately, the decryption does not always work. Sometimes the victims are infected with different types of malware that interfere with one another or bugs in the ransomware prevent all the victims’ files from being decrypted.

In the end, the cybercriminals are disrupting the operations of businesses and nonprofits, as well as potentially wiping out individuals’ family photos and important documents.

Individuals and Small Businesses Should Consider Basic Steps to Protect Themselves

We anticipate that ransomware will continue to be a growth area for cybercriminals in the next few years. The tools are easy to employ, and even inexperienced intruders can generate a quick profit from Internet users around the world who are desperate to recover their files and pay the ransom.

The security community has developed tools to recover files without paying the cybercriminals. A recently released tool developed by Cisco’s Talos Group allows users to decrypt files that were encrypted by TeslaCrypt without paying the ransom. FireEye and Fox-IT teamed up to provide a mechanism to decrypt files encrypted by Cryptolocker, and Kaspersky developed a tool that can decrypt files that are encrypted by TorLocker. Cybercriminals will keep innovating, and these tools can only go so far.

Individuals and small businesses should consider taking the basic steps larger firms take to protect their information. Keep software and firmware up to date, be aware of the websites that you browse, use spam filters, and make regular backups.

This final case illustrates how regular backups are important because your data can be recovered without paying the attackers.