Attackers are using the infamous Angler exploit kit to disseminate a new, yet unnamed variant of the TeslaCrypt and AlphaCrypt ransomware, according to Rackspace security researcher Brad Duncan.
Duncan analyzed the threat on the SANS Internet Storm Center, saying that the malware presents its victims with a pop-up instruction window similar to that deployed by another prominent strain of ransomware, known as CTB-Locker. However, the pop-up window containing the decryption instructions does not supply a name for this particular piece of ransomware.
TeslaCrypt first emerged in late February. It’s a type of ransomware that infected online and PC gaming-related files. AlphaCrypt is another ransomware threat that cropped up in late April. According to an analysis by BleepingComputer.com, the primary difference between the two strains is that TeslaCrypt appends .ECC and .EXX onto encrypted data files, while AlphaCrypt uses .EZZ.
Duncan explained to Threatpost that AlphaCrypt is basically just a newer variant of TeslaCrypt. From the infected hosts’ perspective, he said, the two strains have all the same characteristics.
Duncan infected four separate hosts in the span of five hours. Each time, Angler delivered the same malware sample. However, the instructions corresponding with each infection pointed users in the direction of a unique Bitcoin address. As in most ransomware infection cases, users are informed that their files will remain encrypted until the user sends some amount of Bitcoin –in this case $528 — to the criminal’s Bitcoin address in exchange for the decryption key.
“From what I can tell, TeslaCrypt and AlphaCrypt are very similar to CryptoLocker,” Duncan wrote. “This new, unnamed variant appears to be another evolution from this family of ransomware.”