Hackers are using the Angler exploit kit and Tor network to spread the TeslaCrypt ransomware in a new campaign designed to defraud companies of bitcoin payments worth thousands of dollars, according to Dell SecureWorks.
The Dell SecureWorks Counter Threat Unit (CTU) reported uncovering the scam in a security advisory.
"In early February 2015, Dell SecureWorks CTU researchers investigated a new file-encrypting ransomware family named TeslaCrypt which was distributed by the popular Angler browser exploit kit," read the advisory.
TeslaCrypt is a blackmail tool designed to lock users out of infected machines. It is particularly dangerous as it uses an advanced form of encryption that specifically targets business and commonly used file formats when locking its victims out.
"It targets file formats from productivity suites such as Open Office and Microsoft Office, as well as formats associated with video games and creative applications," read the advisory.
"After encrypting popular file types with the AES-256 encryption algorithm, TeslaCrypt holds the files for a ransom of $250 to $1,000."
The researchers said that the campaign is doubly dangerous as the Angler exploit kit uses advanced infection techniques not traditionally seen in automated attack tools.
"It uses a memory-resident, file-less mechanism called Bedep that minimises the observable footprint of an infection. Bedep can download additional malware payloads and initiate advertising click-fraud activity," read the advisory.
"It exploited several Adobe Flash Player zero-day vulnerabilities in early 2015. Exploit kits distributing commodity-style malware rarely exploit zero-day vulnerabilities."
The researchers said that the campaign's use of the Tor network makes attribution difficult, but added they have uncovered evidence that the attackers are engaged in other illegal activities.
"The malware uses the Tor anonymity network for command and control, and does not require network connectivity to encrypt files, which complicates detection, prevention and remediation," read the advisory.
"The group's infrastructure shows involvement in additional fraudulent activity, including theft of financial data and other credentials. TeslaCrypt does not contain credential theft or data exfiltration capabilities."
Dell SecureWorks urged concerned businesses to take a variety of defence measures.
These include blocking executable files, keeping operating systems, browsers and browser plugins patched, and implementing software restriction policies "to prevent programs like TeslaCrypt from executing in common directories".
Ransomware and the Angler exploit kit are a growing problem facing businesses and governments.
Rackspace security researcher Brad Duncan reported on 12 May that the Angler exploit kit had been upgraded to distribute a mysterious new variant of ransomware based on the TeslaCrypt and AlphaCrypt attack tools.
Prior to this, Trend Micro researchers uncovered evidence in March that hackers are developing a polymorphic ransomware known as Virlock that has enhanced file-infection and resurrection powers.
Experts advise on the IT skills that businesses really want
'Bothie' mode activates front and rear cameras and can broadcast vids to Facebook or YouTube
Gap in the market remains as skills in the IT sector continue to rocket in demand
Cyber attack on Scottish Parliament comes after MPs at Westminster were targeted in June by a similar brute force attack