{
	"id": "2acba441-4cbc-4ca7-8451-cd55218eb4c8",
	"created_at": "2026-04-06T01:29:28.475482Z",
	"updated_at": "2026-04-10T03:21:46.552088Z",
	"deleted_at": null,
	"sha1_hash": "e2119a7e79ef31d0177a10c784b22bf2ada8f16d",
	"title": "TeslaCrypt 2.0 disguised as CryptoWall",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 572987,
	"plain_text": "TeslaCrypt 2.0 disguised as CryptoWall\r\nBy Fedor Sinitsyn\r\nPublished: 2015-07-14 · Archived: 2026-04-06 01:20:54 UTC\r\nThe TeslaCrypt family of ransomware encryptors is a relatively new threat: its samples were first detected in\r\nFebruary 2015. Since then the malware has been widely portrayed in mass media as the ‘curse’ of computer\r\ngamers because it targets many game-related file types (game saves, user profiles, etc.). The Trojan’s targets have\r\nincluded people in the US, Germany, Spain and other countries.\r\nTeslaCrypt is still in the active development phase: in the past months, its appearance, the name shown to victims\r\n(the malware can mimic CryptoLocker and has used the names TeslaCrypt and AlphaCrypt), extensions of\r\nencrypted files (.ecc, .ezz, .exx), as well as implementation details, have all changed.\r\nKaspersky Lab recently discovered the latest version of the Trojan – TeslaCrypt 2.0. This version is different from\r\nprevious ones in that it uses a significantly improved encryption scheme, which means that it is currently\r\nimpossible to decrypt files affected by TeslaCrypt. It also uses an HTML page instead of a GUI. Incidentally, the\r\nHTML page was copied from another Trojan – Cryptowall.\r\nKaspersky Lab products detect malware from the TeslaCrypt family as Trojan-Ransom.Win32.Bitman. The latest\r\nversion of the Trojan that is discussed in this paper is detected as Trojan-Ransom.Win32.Bitman.tk, its MD5-hash:\r\n1dd542bf3c1781df9a335f74eacc82a4\r\nEvolution of the threat\r\nEach TeslaCrypt sample has an internal version of the malware. The first sample we found was version 0.2.5. It\r\nhad borrowed its graphical interface, including the window header, from another encrypting ransomware program\r\n– CryptoLocker.\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 1 of 12\n\nTeslaCrypt 0.2.5\r\nBy version 0.4.0, the developers of TeslaCrypt had completely changed the malware’s appearance.\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 2 of 12\n\nTeslaCrypt 0.4.0\r\nThe following features of the malware family remain the same, regardless of the version:\r\nThe Trojan independently generates a new, unique Bitcoin address and a private key for it. The address is\r\nused both as a victim ID and to receive payments from the victim.\r\nThe AES-256-CBC algorithm is used to encrypt files; all files are encrypted with the same key.\r\nFiles larger than 0x10000000 bytes (~268 MB) are not encrypted.\r\nC\u0026C servers are located on the Tor network; the malware communicates with the C\u0026Cs via public\r\ntor2web services.\r\nFiles encrypted by the malware include many extensions matching files used in computer games.\r\nThe Trojan deletes shadow copies.\r\nIn spite of the scary stories about RSA-2048 shown to victims, this encryption algorithm is not used by the\r\nmalware in any form.\r\nThe Trojan was written in C++, built using Microsoft’s compiler, with cryptographic algorithm\r\nimplementation taken from the OpenSSL library.\r\nNotable facts\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 3 of 12\n\nEarly versions of TeslaCrypt (0.2.5 – 0.3.x) were designed to check whether a bitcoin payment had been\r\nsuccessfully made on the site http://blockchain.info. If the payment was received, the malware reported this\r\nto the command server and received a key to decrypt the files. This scheme was vulnerable, since an expert\r\ncould send a request to the C\u0026C and get the necessary key without making a payment.\r\nVersions 0.2.5 – 0.3.x saved the decryption key (with other data) in their own service file, key.dat. The area\r\ncontaining the key was zeroed out in the file only after completing encryption, making it possible to save\r\nthe key by interrupting the encryptor’s operation (e.g., by turning off the computer). After this, the key\r\ncould be extracted from key.dat and used to decrypt all files.\r\nIn version 0.4.0 the file key.dat was renamed to storage.bin, and the decryption key was not stored openly\r\nbut as a multiplicative inverse modulo the order of the standard elliptic curve secp256k1. On completing\r\nencryption, the key was overwritten with random bytes rather than zeros, but it was still possible to extract\r\nthe key before the area was overwritten. This was implemented in our RakhniDecryptor utility.\r\nThe present\r\nRecently a sample of the Trojan with internal version 2.0.0 caught our attention. So what was different this time?\r\nThe first thing that caught the eye was that TeslaCrypt no longer has code responsible for rendering the GUI (the\r\napplication window). Instead, after encrypting the files the Trojan opens an HTML page in the browser. The page\r\nwas fully copied from another infamous ransomware program – CryptoWall 3.0.\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 4 of 12\n\nThe page that opens when a victim follows one of the links provided by the cybercriminals is also identical to the\r\nCryptoWall payment page, with one exception: the URLs lead to a TeslaCrypt server – the authors of the malware\r\nwere certainly not going to let their rivals get their victims’ money.\r\nTeslaCrypt initializes a string with text about CryptoWall\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 5 of 12\n\nWhy use this false front? We can only guess – perhaps the attackers wanted to impress the gravity of the situation\r\non their victims: files encrypted by CryptoWall still cannot be decrypted, which is not true of many TeslaCrypt\r\ninfections.\r\nIn any event, this is not the only change from the previous version of TeslaCrypt. The encryption scheme has been\r\nimproved again and is now even more sophisticated than before. Keys are generated using the ECDH algorithm.\r\nThe cybercriminals introduced it in versions 0.3.x, but in this version it seems more relevant because it serves a\r\nspecific purpose, enabling the attackers to decrypt files using a ‘master key’ alone. More about this in due course.\r\nThe TeslaCrypt 2.0 encryption scheme\r\nGeneration of key data\r\nThe Trojan uses two sets of keys – ‘master keys’ that are unique for each infected system and ‘session keys’ that\r\nare generated each time the malware is launched on the system.\r\nMaster key generation\r\nLet Q be a standard secp256k1 elliptic curve (“SECG curve over a 256 bit prime field”) and G be the generator of\r\na cyclic subgroup of points on this curve.\r\nLet malware_pub be the attackers’ public key contained in the Trojan’s body (it is a point on the Q curve, stored\r\nas two separate coordinates – x and y).\r\nWhen infecting a system, the Trojan generates:\r\ninstall_id – the infection identifier – a random 8-byte sequence.\r\nmaster_btc_priv – the private master key – a random 32-byte sequence, which is sent to the C\u0026C.\r\nmaster_btc_pub = master_btc_priv * G (point on the curve) – the public master key; stored in encrypted\r\nfiles.\r\nbtc_address – a bitcoin address used to receive the ransom payment – generated using the standard Bitcoin\r\nalgorithm, based on master_btc_pub.\r\nmaster_ecdh_secret = ECDH(malware_pub, master_btc_priv) – a “shared master key”, required for\r\ndecryption if master_btc_priv is lost or does not reach the C\u0026C; not saved anywhere in this form.\r\nmaster_ecdh_secret_mul = master_ecdh_secret * master_btc_priv – a number that can be used to\r\nrecover master_btc_priv; stored in the system.\r\nNote\r\nmaster_btc_priv (in accordance with the Bitcoin operating principle) is a private key that is needed to ‘withdraw’\r\nthe Bitcoins sent to the newly created address btc_address.\r\nSession key generation\r\nEvery time it is launched (when first infecting a computer or, e.g., after a reboot), the Trojan generates new copies\r\nof:\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 6 of 12\n\nsession_priv – a private session key – random 32 bytes. Used to encrypt files, not saved anywhere\r\nsession_pub = session_priv * G – a public session key. Stored in encrypted files.\r\nsession_ecdh_secret = ECDH(master_btc_pub, session_priv) – a “shared session key” – needed to\r\ndecrypt files, not saved anywhere in this form.\r\nsession_ecdh_secret_mul = session_ecdh_secret * session_priv – a number that can be used to recover\r\nsession_ecdh_secret. Stored in encrypted files.\r\nKey data saved in the system\r\nUnlike previous version of the malware, TeslaCrypt 2.0.0 does not use key.dat or storage.bin to store data. Instead,\r\nit uses the system registry: an install_id value is stored in HKCU\\Software\\msys\\ID, and the following structure is\r\nadded to HKCU\\Software\\\u003cinstall_id\u003e\\data:\r\nIn the familiar syntax of the C programming language, the structure can be described as follows:\r\nHere is what it looks like on an infected system:\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 7 of 12\n\nFile encryption\r\nStarting from version 0.3.5, TeslaCrypt affects both regular drives connected to the system and all file resources\r\navailable on the network (shares), even if they are not mounted as drives with letters of their own. Few other\r\nencryptors can boast this functionality.\r\nEach file is encrypted using the AES-256-CBC algorithm with session_priv as a key. An encrypted file gets an\r\nadditional extension, “.zzz”. A service structure is added to the beginning of the file, followed by encrypted file\r\ncontents. The structure has the following format:\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 8 of 12\n\nThe same structure in C language syntax:\r\nFile decryption\r\nThe authors of TeslaCrypt 2.0.0 completely removed the file decryption feature that was present in earlier versions\r\nof the malware. Based on analyzing the encryption scheme described above, we can suggest the following\r\nalgorithms for decrypting the files:\r\n1. 1\r\nIf master_btc_priv is known, do the following:\r\nRead session_pub from the encrypted file;\r\nCalculate session_ecdh_secret = ECDH(session_pub, master_btc_priv);\r\nRead session_ecdh_secret_mul from the encrypted file;\r\nCalculate session_priv = session_ecdh_secret_mul / session_ecdh_secret;\r\nDecrypt the file using the session_priv key.\r\n2. 2\r\nIf master_btc_priv is unknown, but malware_priv is known (and the only people who know it are the\r\ncybercriminals who added the corresponding malware_pub to the Trojan’s body):\r\nRead master_btc_pub from the registry or encrypted file;\r\nCalculate master_ecdh_secret = ECDH(master_btc_pub, malware_priv);\r\nRead master_ecdh_secret_mul from the encrypted file\r\nCalculate master_btc_priv = master_ecdh_secret_mul / master_ecdh_secret;\r\nWith master_btc_priv known, perform the steps from item 1.\r\nTo get a full understanding of the subject matter, it is worth reading about the Diffie-Hellman algorithm and\r\nECDH – its version for elliptic curves. For example, this is a good resource.\r\nOther features\r\nEvading detection\r\nThe Trojan implements a detection evasion technique based on using COM objects. We first saw it used in\r\nTeslaCrypt version 0.4.0, but since then it has been slightly modified. Pseudocode generated based on version\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 9 of 12\n\n2.0.0 looks like this:\r\nC\u0026C communication\r\nThe Trojan’s sample contains a static list of C\u0026C addresses. The servers are actually on the Tor network, but\r\ncommunication with them is carried out through the Web using tor2web services.\r\nBefore TeslaCrypt version 0.4.1, server requests were sent in plaintext; in subsequent versions they were\r\nencrypted using the AES-256-CBC algorithm, with a SHA256 hash of a static string from the malicious program’s\r\nbody used as a key.\r\nThe pseudocode screenshot below shows the process of creating an HTTP request to be sent by the Trojan when\r\ninfecting a system.\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 10 of 12\n\nDistribution\r\nMalware from the TeslaCrypt family is known to be distributed using exploit kits such as Angler, Sweet Orange\r\nand Nuclear. This method of distributing malware works as follows: when a victim visits an infected website, an\r\nexploit’s malicious code uses vulnerabilities in the browser (usually in plugins) to install target malware in the\r\nsystem.\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 11 of 12\n\nGeographical distribution of users attacked by malware from the TeslaCrypt family\r\nRecommendations\r\nTo protect data from encrypting ransomware, we advise users to backup all their important files regularly. Backup\r\ncopies should be stored on drives that can only be written to as part of the process of backing up data. For\r\nexample, home users can use external hard drives, physically disconnecting them from the computer immediately\r\nafter creating backup copies.\r\nPromptly updating software (particularly browser plugins and the browser itself) is also extremely important,\r\nsince vendors are always striving to close any vulnerabilities that are exploited by cybercriminals.\r\nIf malware did find its way into the system, an up-to-date antivirus product with updated databases and activated\r\nprotection modules can help to stop it from doing any harm. This is especially true of the proactive protection\r\nmodule, which is the last line of defense against 0-day threats.\r\nSource: https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nhttps://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/"
	],
	"report_names": [
		"71371"
	],
	"threat_actors": [],
	"ts_created_at": 1775438968,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e2119a7e79ef31d0177a10c784b22bf2ada8f16d.pdf",
		"text": "https://archive.orkl.eu/e2119a7e79ef31d0177a10c784b22bf2ada8f16d.txt",
		"img": "https://archive.orkl.eu/e2119a7e79ef31d0177a10c784b22bf2ada8f16d.jpg"
	}
}