In reviewing recent anomalies in our threat traffic, Omri Givoni, who heads up our Threat Prevention Cloud Group, noticed a spike of more than 100,000 events in our detections on leap day, February 29th, 2016. Zeroing in on the event, we isolated one SHA1 7429b5b4c239cb5380b6d7e4ffa070c4f92f3c79, which strangely did not show any incidents either before or after that date.


fig 1

A quick examination showed this was indeed a unique campaign based on a new TeslaCrypt variant, which on the leap day would have been detected by only four AV vendors according to VirusTotal.


Why do a spike campaign?

Ransomware infections are now the top trend in the eyes of customers and security firms alike, taking the place of the banking malware as a major concern. For that reason ransomware Command and Control servers (C2) are quickly exposed. Signatures issued for the specific files and the C2 domains are moved to the blocking lists.

Therefore in order to make the ransom operation successful, the attackers must get to their targets as fast as possible to maximize infections before the AV companies start updating their signatures or C2 databases mark their servers as malicious.

On the campaign day, VirusTotal which shows scan results of 56 AV vendors, the campaign payloads had only four detections.

Using machine learning, our sandboxing solution SandBlast detected this malware before it reached the endpoint by matching the TeslaCrypt ransomware on its first run without the need for signatures. Here is a report of our generic detection:

fig 2

Breaking up the attack

The attack starts with a mass email spam campaign to obtain as many email inbox targets as possible before spam filters detect it and AV create a signature.

fig 3

This is a social engineering message designed (somewhat poorly, given the spelling error in the salutation and the rather large sum claimed to be late) to trick the user into opening the attached file due to the fear of penalties. The attachment, appearing to be a .doc file based on the extension, is actually a JavaScript file, archived in a zip file. Opening the JavaScript will result in the script running, which will download and execute TeslaCrypt.


Once infected

If executed this ransomware will encrypt your files, even without internet communication using a custom key recovery algorithm, renaming them as old_name.mp3 probably to avoid behavioral detection of writing new files with high entropy. It will then display the following ransom message:

fig 4

Screen shot of file encrypted on a directory

fig 5


Improvements by AV products in quickly updating signatures for new variants has resulted in greater use of spike campaigns in order to deliver previously unknown threats to a mass audience, and get to the victims. Detecting previously unseen threats is crucial in order to prevent infection.

Check Point AV and Network Anti-Malware clients are currently protected from this threat, and remained protected shortly after the signature was updated after discovery. Check Point SandBlast customers were also protected from the inception of this attack.


Appendix 1 – SHA1s distributed by the javascript



Appendix 2 – Command and Control URLs contacted by the ransomware