Crowti (also known as Cryptowall) and Tescrypt (also known as Teslacrypt) are two ransomware families that have infected over half a million PCs running Microsoft security software in the first half of 2015. Since the start of 2015, we've observed Crowti to be the most prevalent ransomware overall, accounting for 30% of all ransomware families, as shown in Figure 1.
Figure 1. Top 10 Ransomware (January to June 2015)
Figure 2. Top 10 Ransomware (May 2015)
Figure 3. Top 10 Ransomware (June 2015)
Notice in particular that Tescrypt sits within the six families that each had less than a 5% share of the total. This is because Tescrypt is relatively new â€“ while we've seen big detection numbers between April and June, it still hasn't been enough to wipe out Crowti and Krypterade.
While Tescrypt has only been prevalent since April 2015, we've seen its infection rate spike dramatically during that time. Figure 2 shows the share it had during May, where it increased by over 600%.
This increase in activity is likely due to it being distributed by a number of active exploit kits, specifically Exploit:SWF/Axpergle (Angler),Exploit:JS/Neclu (Nuclear),JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).
Figure 3 shows a breakdown of the top 10 ransomware distribution for the past 30 days (May 19 to June 18, 2015).
Both Crowti and Tescrypt target home users and enterprise industries. Their infection chains are also similar, and we've seen that email spam and exploit kits are the main infection vectors.
Figure 4. Tescrypt/Crowti infection chain
Figure 4 is a representation of the infection chain for both families.
These ransomware families encrypt files on the PC and direct the machine's user to a webpage that typically asks for ransom payment using bitcoins.
See the following descriptions for a list of the file type extensions each family targets for encryption:
Crowti can be downloaded by other malware, such as:
It can also be downloaded when you click on a link in a spam email. It's important to be aware of the dangers in opening suspicious emails to avoid falling prey to these ransomware attacks.
See the Win32/Crowti and Win32/Tescrypt descriptions for information on how these threats work.