Gamers are now being targeted by crypto-ransomware — TeslaCrypt (or Tesla Crypt) has the ability to encrypt more than 50 known game-related files, both single player and multi-player games. Steam and other game delivery platforms are being held for ransom for about one thousand dollars, to be paid by means of PayPal, My Cash Cards or 1.5 bitcoins (worth about $342 each as of the 21st of April, 2015).
The malware was initially reported by Bleeping Computer, a specialized client instruction/discussion forum that is rapidly building itself as a hot spot for information about encryptors and ransomware plans. Bleeping Computer has coined the malware ‘Tesla Crypt,’ while the security firm Bromium issued different and totally autonomous information regarding the danger — which they are portraying as another variation of ‘Crypto Locker.’ Bleeping Computer credits Fabian Wosar, of Emsisoft, for first discovering Tesla Crypt.
— BleepingComputer (@BleepinComputer) February 27, 2015
As indicated by Bleeping Computer, Tesla Crypt is focusing on files connected with games like: RPG Maker, League of Legends, Call of Duty, Dragon Age, StarCraft, MineCraft, World of WarCraft, World of Tanks and other famous online games. This is a spin-off from earlier software that had a tendency to target personal records, pictures and other standard documents stored on infected machines.
After infecting the files, the malware changes the desktop background of the PC to a ‘notice’ that the client’s documents have been encrypted. The message contains instructions on how and where clients need to go to purchase the private key to decrypt their documents. Part of the procedure includes downloading the Tor Browser bundle — interestingly enough, there is a hidden administration site where contaminated clients can get information from the malware creators on the most proficient method of making an installment payment and then afterwards decrypting their documents. The notice also contains a “drop dead” date, after which point the private key will be destroyed completely and the documents will be difficult, if not impossible, to recover.
— Anon.Dos (@anondos_) April 21, 2015
The notice is very much like that of the notorious Crypto Locker ransomware, which might be the reason Bromium considers the two bits of malware to be part of the same family. As Bromium notes, the likenesses between the two are insignificant, however they do accept the fact that Tesla Crypt is utilizing Crypto Locker’s image.
At least for now, it would seem, crypto-ransomware is here to stay, so make sure you are committed to backing up your machines. The individuals behind these plans have an eye toward business and marketing and at the end of the day, they are showing signs of “improvement” in infecting clients and persuading them to pay to recover their information. This reality exists in our current world, where we are interfacing more and more things to the web which will just intensify the issue.