February 8, 2016 By Larry Loeb 2 min read

Three security research firms have noted a recent spike in TeslaCrypt ransomware over the last week. Experts believe the rise has been facilitated by the WordPress content management system (CMS).

The Ad Is the Poison

According to Ars Technica, the attack silently redirects visitors from original sites to malicious ones. The malicious sites host code from the Nuclear exploit kit (EK), while the WordPress sites are injected with large amounts of code that perform a silent redirection to domains displaying host ads. But this is only a diversion: Those ads are stuffed with more code that sends visitors to the true destination, the Nuclear EK.

If the visitors have out-of-date, unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer, they put themselves at risk for infection by the TeslaCrypt ransomware. This malware encrypts user files and then demands ransom for their decryption key.

Distinguishing Features

Security firm Sucuri noted that there were distinguishing features of the malware, including the fact that it had 32 hex-digit strings at the beginning and end of the code. Similarly, once the code has been decrypted it always looks the same.

Interestingly, the malware only infects first-time visitors to the infected site. Ars Technica noted that it may exhibit this sort of behavior in order to throw off security researchers, while Sucuri made sure to mention the invisible iframes installed as part of this process.

The URLs of the invisible iframe all use third-level domains and have “Admedia” or “advertizing” in the path. All the malicious domains and subdomains point to servers on Digital Ocean’s network: 46.101.84.214, 178.62.37.217, 178.62.37.131 and 178.62.90.65.

TeslaCrypt Ransomware Opens Backdoors

TeslaCrypt also uploads multiple backdoors into various locations on the affected Web server and frequently updates the injected code. That means it reinfects all the JavaScript files it can access using cross-site contamination as the method. A webmaster will have to sanitize all the sites on the server at the same time, not just the obviously affected ones, to truly clear out the infection.

Unless the TeslaCrypt problem is resolved, users — and site owners, in particular — should ensure that they are using unique passwords and have the latest versions of patched products.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today