{"id":2550,"date":"2016-06-08T16:38:20","date_gmt":"2016-06-08T09:38:20","guid":{"rendered":"https:\/\/humanit.asia\/?p=2550"},"modified":"2019-07-22T14:18:43","modified_gmt":"2019-07-22T07:18:43","slug":"a-close-look-at-teslacrypt-3-0-ransomware","status":"publish","type":"post","link":"https:\/\/old.humanit.asia\/th\/a-close-look-at-teslacrypt-3-0-ransomware\/","title":{"rendered":"A Close Look at TeslaCrypt 3.0 Ransomware"},"content":{"rendered":"<div>\n<p>TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit. The Angler exploits vulnerability in Adobe Flash. The Angler exploit downloads a variant of the ransomware upon success.<\/p>\n<p>TeslaCrypt 3.0 possesses various updates, one of which renders encrypted files irrecoverable via normal means.<\/p>\n<p><strong>Infection Indicator\/s<\/strong><br \/>\nMachines infected by TeslaCrypt will usually have the following files present in almost every directory:<\/p>\n<ul>\n<li>+REcovER+<em>[Random]<\/em>+.html<\/li>\n<li>+REcovER+<em>[Random]<\/em>+.txt<\/li>\n<li>+REcovER+<em>[Random]<\/em>+.png<\/li>\n<\/ul>\n<p>The recovery instructions for the encrypted files can be found inside these files.<\/p>\n<div id=\"attachment_15818\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note.jpg\"><img fetchpriority=\"high\" decoding=\"async\" class=\"size-medium wp-image-15818\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-768x604.jpg 768w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-1024x805.jpg 1024w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note.jpg 1172w\" alt=\"TeslaCrypt ransom note \" width=\"300\" height=\"236\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">TeslaCrypt ransom note<\/p>\n<\/div>\n<p><strong>Technical Details<\/strong><br \/>\n<em>Note: The file used for this analysis has an MD5 value of 1028929105f1e6118e06f8b7df0b3381.<\/em><\/p>\n<p>The malware starts by ensuring it\u2019s in its intended directory. For this sample, it checks if it is located in the <strong>Documents<\/strong> directory. If it\u2019s not, it copies itself to that directory and executes its copy from there. It deletes itself after executing the copy.<\/p>\n<p>The ransomware creates multiple threads that do the following:<\/p>\n<ul>\n<li>Monitors processes and terminates those that contain the following strings:\n<ul>\n<li>taskmg<\/li>\n<li>regedi<\/li>\n<li>procex<\/li>\n<li>msconfi<\/li>\n<li>cmd<\/li>\n<\/ul>\n<\/li>\n<li>Contacts the C&amp;C server and sends certain information like system information and the unique system ID.<\/li>\n<li>File encryption routine<\/li>\n<\/ul>\n<p><strong>Obfuscation<\/strong><br \/>\nTeslaCrypt is not immune to recycling code from older malware families. The initial code is an encryption of the compressed binary. Upon decryption, the malware will call the RtlDecompressBuffer API and finally write the decompressed data into its own memory.<\/p>\n<div id=\"attachment_15819\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-2-Call-to-RtlDecompressBuffer.jpg\"><img decoding=\"async\" class=\"size-medium wp-image-15819\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-2-Call-to-RtlDecompressBuffer-300x81.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-2-Call-to-RtlDecompressBuffer-300x81.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-2-Call-to-RtlDecompressBuffer.jpg 581w\" alt=\"Call to RtlDecompressBuffer \" width=\"300\" height=\"81\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Call to RtlDecompressBuffer<\/p>\n<\/div>\n<p>The malware also uses a technique to obscure API calls by using the hash of the API name and passing it to a function that retrieves the API address.<\/p>\n<div id=\"attachment_15820\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-3.jpg\"><img decoding=\"async\" class=\"wp-image-15820 size-medium\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-3-300x40.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-3-300x40.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-3-600x81.jpg 600w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-3.jpg 615w\" alt=\" \" width=\"300\" height=\"40\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">The malware passes an API hash to a function that returns the procedure address of the API.<\/p>\n<\/div>\n<div id=\"attachment_15821\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-4.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15821\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-4-300x40.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-4-300x40.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-4.jpg 576w\" alt=\"The same code but labeled properly in a disassembler \" width=\"300\" height=\"40\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">The same code but labeled properly in a disassembler.<\/p>\n<\/div>\n<p><strong>File Encryption<\/strong><br \/>\nTeslaCrypt uses AES encryption and will send one part of the key to its C&amp;C server, which will render the files irrecoverable on its own.<\/p>\n<p>It will start by checking if the system already has its own recovery key. If not, it will begin generating the necessary encryption keys. These keys will be used for the encryption routine.<\/p>\n<div id=\"attachment_15822\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-5.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15822 size-medium\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-5-300x134.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-5-300x134.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-5.jpg 403w\" alt=\"Figure 5\" width=\"300\" height=\"134\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Checks if the recovery key already exists and generates it if it doesn\u2019t.<\/p>\n<\/div>\n<p>TeslaCrypt will traverse all fixed, remote and removable drives for files with the following extensions:<\/p>\n<p>.3FR .7Z .ACCDB .AI .APK .ARCH00 .ARW .ASSET .AVI .BAK .BAR .BAY .BC6 .BC7 .BIG .BIK .BKF .BKP .BLOB .BSA .CAS .CDR .CER .CFR .CR2 .CRT .CRW .CSS .CSV .D3DBSP .DAS .DAZIP .DB0 .DBA .DBF .DCR .DER .DESC .DMP .DNG .DOC .DOCM .DOCX .DWG .DXG .EPK .EPS .ERF .ESM .FF .FLV .FORGE .FOS .FPK .FSH .GDB .GHO .HKDB .HKX .HPLG .HVPL .IBANK .ICXS .INDD .ITDB .ITL .ITM .IWD .IWI .JPE .JPEG .JPG .JS .KDB .KDC .KF .LAYOUT .LBF .LITEMOD .LITESQL .LRF .LTX .LVL .M2 .M3U .M4A .MAP .MCMETA .MDB .MDBACKUP .MDDATA .MDF .MEF .MENU .MLX .MOV .MP4 .MPQGE .MRWREF .NCF .NRW .NTL .ODB .ODC .ODM .ODP .ODS .ODT .ORF .P12 .P7B .P7C .PAK .PDD .PDF .PEF .PEM .PFX .PKPASS .PNG .PPT .PPTM .PPTX .PSD .PSK .PST .PTX .PY .QDF .QIC .R3D .RAF .RAR .RAW .RB .RE4 .RGSS3A .RIM .ROFL .RTF .RW2 .RWL .SAV .SB .SID .SIDD .SIDN .SIE .SIS .SLM .SNX .SQL .SR2 .SRF .SRW .SUM .SVG .SYNCDB .T12 .T13 .TAX .TIFF .TOR .TXT .UPK .VCF .VDF .VFS0 .VPK .VPP_PC .VTF .W3X .WALLET .WB2 .WMA .WMO .WMV .WPD .WPS .X3F .XF .XLK .XLS .XLSB .XLSM .XLSX .XXX .ZIP .ZTMP<\/p>\n<p>The exception, however, is if the file contains the string <em>\u201crecove\u201d<\/em> or if it is found in the following directories:<\/p>\n<ul>\n<li>%WINDIR% (C:Windows)<\/li>\n<li>%PROGRAMFILES% (C:Program Files)<\/li>\n<li>%COMMONAPPDATA% (C:Documents and SettingsAll UsersApplication Data for Windows XP and C:ProgramData for Windows Vista and above)<\/li>\n<li>%LOCALAPPDATA%Temporary Internet Files (C:Documents and Settings[USERNAME]Local Settings for Windows XP and C:Users[USERNAME]AppDataLocal for Windows 7 and above)<\/li>\n<\/ul>\n<div id=\"attachment_15823\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-6.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15823 size-medium\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-6-300x63.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-6-300x63.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-6.jpg 592w\" alt=\"Figure 6\" width=\"300\" height=\"63\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Checking for fixed, removable and remote drives<\/p>\n<\/div>\n<p><em>\u00a0<\/em>Once a file passes the extension check, the malware will proceed with the encryption. The ransomware variant first checks for its encryption header. If the file is not yet encrypted, it will proceed with the encryption.<\/p>\n<p>Encrypted files\u2019 headers contain data that includes \u2013 but isn\u2019t limited to \u2013 the global recovery key, the global public key, the original file size and the encrypted data itself.<\/p>\n<div id=\"attachment_15824\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-7.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15824\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-7-300x231.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-7-300x231.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-7.jpg 630w\" alt=\"Sample of an encrypted file \" width=\"300\" height=\"231\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Sample of an encrypted file<\/p>\n<\/div>\n<p><strong>C&amp;C Servers<\/strong><br \/>\nThe malware tries to connect to one of the following domains:<\/p>\n<ul>\n<li>hxxp:\/\/naturstein-schubert.de<\/li>\n<li>hxxp:\/\/csskol.org\/wp-content<\/li>\n<li>hxxp:\/\/casasembargada.com<\/li>\n<li>hxxp:\/\/mahmutersan.com.tr<\/li>\n<li>hxxp:\/\/forms.net.in<\/li>\n<li>hxxp:\/\/kknk-shop.dev.onnetdigital.com<\/li>\n<\/ul>\n<p>If it manages to connect to a server, it then sends a POST request using encoded data. The data it will send includes the following:<\/p>\n<ul>\n<li>The shared key for the encryption<\/li>\n<li>Bitcoin address<\/li>\n<li>OS version<\/li>\n<li>TeslaCrypt version<\/li>\n<li>Unique ID for the infected system<\/li>\n<\/ul>\n<div id=\"attachment_15825\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-8.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15825\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-8-300x79.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-8-300x79.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-8.jpg 650w\" alt=\"HttpSendRequest with the encrypted data \" width=\"300\" height=\"79\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">HttpSendRequest with the encrypted data<\/p>\n<\/div>\n<p><strong>Other Details<\/strong><br \/>\nTo ensure the malware only has one instance running, it creates a mutex as \u201c8_8_8_8.\u201d<\/p>\n<div id=\"attachment_15826\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-9.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-15826 size-medium\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-9-300x63.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-9-300x63.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-9.jpg 649w\" alt=\"Figure 9\" width=\"300\" height=\"63\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">CreateMutex function<\/p>\n<\/div>\n<p>It creates an auto start registry entry to ensure execution every startup.<\/p>\n<div id=\"attachment_15827\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-10.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15827\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-10-300x19.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-10-300x19.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-10-768x48.jpg 768w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-10.jpg 1019w\" alt=\"Autostart registry \" width=\"300\" height=\"19\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">Autostart registry<\/p>\n<\/div>\n<p>It also adds a policy in the registry to remove permission restrictions on network drives, essentially allowing any user to access these network drives.<\/p>\n<div id=\"attachment_15828\" class=\"wp-caption aligncenter\" style=\"width: 310px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-11.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15828\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-11-300x36.jpg\" sizes=\"(max-width: 300px) 100vw, 300px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-11-300x36.jpg 300w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-11.jpg 743w\" alt=\"EnableLinkedConnections registry value \" width=\"300\" height=\"36\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">EnableLinkedConnections registry value<\/p>\n<\/div>\n<p>Interestingly enough, though, it appears the gang behind <a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/teslacrypt-shuts-down-and-releases-master-decryption-key\/\">TeslaCrypt has had a change of heart<\/a> and have publicly shared their master decrypt key. Before they shut down, the now-defunct payment site required a minimum of $500 in the form of bitcoin.<\/p>\n<div id=\"attachment_15829\" class=\"wp-caption aligncenter\" style=\"width: 294px;\"><a href=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-15829\" src=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12-284x300.jpg\" sizes=\"(max-width: 284px) 100vw, 284px\" srcset=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12-284x300.jpg 284w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12-768x810.jpg 768w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12-971x1024.jpg 971w, https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-12.jpg 1172w\" alt=\"TeslaCrypt payment page \" width=\"284\" height=\"300\" \/><\/a><\/p>\n<p class=\"wp-caption-text\">TeslaCrypt payment page<\/p>\n<\/div>\n<p><a href=\"https:\/\/www.threattrack.com\/network-security-threats.aspx\">Advanced threat defense products<\/a> like those used in this analysis help avoid ransomware infection. The advanced solutions catch the emerging threat before it can do any damage.\u00a0 You\u2019ve got two great lines of defense: The first is via email and the next is your network.<\/p>\n<p><a href=\"https:\/\/www.threattrack.com\/spear-phishing-attacks.aspx\">Advanced email defense solutions<\/a> like ThreatSecure Email are designed to catch malware that evades traditional defenses. It\u2019s a great tool to help stop attacks by detecting phishing links and exploits that deliver ransomware. That can stop TeslaCrypt from encrypting and taking the data from you.<\/p>\n<p>The next stop is bolstering your network. Adding an <a href=\"https:\/\/www.threattrack.com\/network-security-threats.aspx\">advanced defense solution<\/a> that identifies and correlates discovered threats with anomalous network activity is an invaluable tool to guard your data. <a href=\"https:\/\/www.threattrack.com\/network-security-threats.aspx\">ThreatTrack\u2019s ThreatSecure Network<\/a>, for instance, provides end-to-end network visibility and real-time detection to catch traffic hitting known malicious IPs associated with ransomware distribution and C&amp;C.<\/p>\n<p>The post <a href=\"https:\/\/blog.threattrack.com\/close-look-teslacrypt-3-0-ransomware\/\" rel=\"nofollow\">A Close Look at TeslaCrypt 3.0 Ransomware<\/a> appeared first on <a href=\"https:\/\/blog.threattrack.com\/\" rel=\"nofollow\">ThreatTrack Security Labs Blog<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/threattracksecurity\/~4\/DXb3Ot-nPqo\" alt=\"\" width=\"1\" height=\"1\" \/><\/p>\n<\/div>\n<p class=\"wpematico_credit\"><small>Powered by <a href=\"http:\/\/www.wpematico.com\" target=\"_blank\" rel=\"noopener noreferrer\">WPeMatico<\/a><\/small><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TeslaCrypt is yet another ransomware taking the cyber w [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110],"tags":[],"class_list":["post-2550","post","type-post","status-publish","format-standard","hentry","category-security-th"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services<\/title>\n<meta name=\"description\" content=\"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/old.humanit.asia\/dxb3ot-npqo\/\" \/>\n<meta property=\"og:locale\" content=\"th_TH\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services\" \/>\n<meta property=\"og:description\" content=\"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/old.humanit.asia\/dxb3ot-npqo\/\" \/>\n<meta property=\"og:site_name\" content=\"humanit managed services\" \/>\n<meta property=\"article:published_time\" content=\"2016-06-08T09:38:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-07-22T07:18:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\" \/>\n<meta name=\"author\" content=\"Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 \u0e19\u0e32\u0e17\u0e35\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/a-close-look-at-teslacrypt-3-0-ransomware\\\/\"},\"author\":{\"name\":\"Admin\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"headline\":\"A Close Look at TeslaCrypt 3.0 Ransomware\",\"datePublished\":\"2016-06-08T09:38:20+00:00\",\"dateModified\":\"2019-07-22T07:18:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/a-close-look-at-teslacrypt-3-0-ransomware\\\/\"},\"wordCount\":1110,\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\",\"articleSection\":[\"Security\"],\"inLanguage\":\"th\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/th\\\/a-close-look-at-teslacrypt-3-0-ransomware\\\/\",\"url\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/\",\"name\":\"A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\",\"datePublished\":\"2016-06-08T09:38:20+00:00\",\"dateModified\":\"2019-07-22T07:18:43+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\"},\"description\":\"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#breadcrumb\"},\"inLanguage\":\"th\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.threattrack.com\\\/wp-content\\\/uploads\\\/2016\\\/06\\\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/old.humanit.asia\\\/dxb3ot-npqo\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/old.humanit.asia\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Close Look at TeslaCrypt 3.0 Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#website\",\"url\":\"https:\\\/\\\/old.old.humanit.asia\\\/\",\"name\":\"humanit managed services\",\"description\":\"making technology easy\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/old.old.humanit.asia\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"th\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/old.old.humanit.asia\\\/#\\\/schema\\\/person\\\/e7a3d665ee9cc6526fb6fdc92f4eb09c\",\"name\":\"Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"th\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g\",\"caption\":\"Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services","description":"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/","og_locale":"th_TH","og_type":"article","og_title":"A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services","og_description":"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.","og_url":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/","og_site_name":"humanit managed services","article_published_time":"2016-06-08T09:38:20+00:00","article_modified_time":"2019-07-22T07:18:43+00:00","og_image":[{"url":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg","type":"","width":"","height":""}],"author":"Admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Admin","Est. reading time":"6 \u0e19\u0e32\u0e17\u0e35"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#article","isPartOf":{"@id":"https:\/\/old.humanit.asia\/th\/a-close-look-at-teslacrypt-3-0-ransomware\/"},"author":{"name":"Admin","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"headline":"A Close Look at TeslaCrypt 3.0 Ransomware","datePublished":"2016-06-08T09:38:20+00:00","dateModified":"2019-07-22T07:18:43+00:00","mainEntityOfPage":{"@id":"https:\/\/old.humanit.asia\/th\/a-close-look-at-teslacrypt-3-0-ransomware\/"},"wordCount":1110,"image":{"@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg","articleSection":["Security"],"inLanguage":"th"},{"@type":"WebPage","@id":"https:\/\/old.humanit.asia\/th\/a-close-look-at-teslacrypt-3-0-ransomware\/","url":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/","name":"A Close Look at TeslaCrypt 3.0 Ransomware - humanit managed services","isPartOf":{"@id":"https:\/\/old.old.humanit.asia\/#website"},"primaryImageOfPage":{"@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#primaryimage"},"image":{"@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg","datePublished":"2016-06-08T09:38:20+00:00","dateModified":"2019-07-22T07:18:43+00:00","author":{"@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c"},"description":"TeslaCrypt is yet another ransomware taking the cyber world by storm. It is mostly distributed via a spear phishing email and through the Angler exploit kit.","breadcrumb":{"@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#breadcrumb"},"inLanguage":"th","potentialAction":[{"@type":"ReadAction","target":["https:\/\/old.humanit.asia\/dxb3ot-npqo\/"]}]},{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#primaryimage","url":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg","contentUrl":"https:\/\/blog.threattrack.com\/wp-content\/uploads\/2016\/06\/Figure-1-TeslaCrypt-ransom-note-300x236.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/old.humanit.asia\/dxb3ot-npqo\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/old.humanit.asia\/"},{"@type":"ListItem","position":2,"name":"A Close Look at TeslaCrypt 3.0 Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/old.old.humanit.asia\/#website","url":"https:\/\/old.old.humanit.asia\/","name":"humanit managed services","description":"making technology easy","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/old.old.humanit.asia\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"th"},{"@type":"Person","@id":"https:\/\/old.old.humanit.asia\/#\/schema\/person\/e7a3d665ee9cc6526fb6fdc92f4eb09c","name":"Admin","image":{"@type":"ImageObject","inLanguage":"th","@id":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2d8f90c345033af4c0eb51ef25202eced8799a4331f9c232149e984d2570105b?s=96&d=mm&r=g","caption":"Admin"}}]}},"_links":{"self":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/comments?post=2550"}],"version-history":[{"count":4,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2550\/revisions"}],"predecessor-version":[{"id":2853,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/posts\/2550\/revisions\/2853"}],"wp:attachment":[{"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/media?parent=2550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/categories?post=2550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/old.humanit.asia\/th\/wp-json\/wp\/v2\/tags?post=2550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}