TeslaCrypt ransomware variant assigns .vvv extension to encrypted files

Saturday 5 December 2015, 4:53AM

By Viorel Ramos


Whereas the basic idea behind file-encrypting Trojans is uniform, the methodology leveraged along the way can vary from case to case. Some breeds of ransomware provide the option of test decryption of a specified number of files, other don’t. Some feature a 72-hour payment deadline, others can wait as long as 168 hours. Another type of differentiation is about the title of ransom notes document as well as the way encoded information is presented to the victim. One of the widespread variants of TeslaCrypt threat, for instance, adds a .vvv suffix at the end of every encrypted object and displays a document named how_recover that instructs the user on recovery.

The ransomware deployment routine in this case follows a fairly standard path. Users get compromised through legit-looking emails that contain ZIP attachments. The social engineering part here is elaborately thought-out so that the would-be victims aren’t likely to identify the catch. As soon as the attachment is opened, the Trojan is dropped into the OS and the active phase of the assault kicks off. The infection traverses all drive letters on the machine, including removable storage such as USB memory sticks and mapped drives. By comparing the detected items against a list of predefined extensions, TeslaCrypt forms the array of files to be encrypted. It uses the asymmetric RSA-2048 algorithm to render those files unavailable, which means that the data can only be decrypted with the private key that is kept outside the machine.

Every document, photo and video object will consequently end with .vvv string. Also, the pest displays the ransom payment information in a txt and html document called how_recover.html/txt, which is injected in each folder whose contents underwent encoding. Among those details, the virus informs the victim of the ransom amount, which must be sent in Bitcoins during a seven-day time span. Security researchers have found that a few workarounds can be used for restoring the .vvv files to their original state without submitting money to the scammers. These tips are worth trying: