ESET releases new decryptor for TeslaCrypt ransomware


Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.

We have been covering this malware for a few months now, sometimes along with Locky or beingspread by Nemucod. Recently, TeslaCrypt’s operators announced that they are wrapping up their malevolent activities:


On this occasion, one of ESET’s analysts contacted the group anonymously, using the official support channel offered to the ransomware victims by the TeslaCrypt’s operators, and requested the universal master decryption key.

Surprisingly, they made it public.

This allowed ESET to create a free decrypting tool promptly, which is able to unlock files affected by all variants of this ransomware. For instructions on how to use the decryptor, please visit the ESET Knowledgebase website.


We must stress that ransomware remains one of the most dangerous computer threats at this moment, and prevention is essential to keep users safe. Therefore, they should keep operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).

We also advise all users to be very careful when clicking on links or files in their email or browsers. This is particularly true when messages are received from unknown sources or otherwise look suspicious.

For more information about how to protect yourself against these and other ransomware threats, please check this: 11 things you can do to protect against ransomware.

Original Post:

Malware Analysis Tools: pestudio

pestudio is a tool that is used in many Cyber Emergency Response Teams (CERT) worldwide in order to perform malware initial assessment.

Malicious software often attempts to hide its intents in order to evade early detection and static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, and sometimes even anomalies.

The goal of pestudio is to spot these artifacts in order to ease and accelerate the Malware Initial Assessment. The tool uses a powerful parser and a flexible set of configuration files that are used to provide many of indicators and determine thresholds. Since the file being analyzed is never started, you can inspect any unknown or malicious executable file and even ransomware without a risk of infection.


pestudio implements a rich set of features that is especially designed to retrieve every single detail of any executable file. Result is checked against the Microsoft specification. Additionally, the content of the file being analysed is checked against several white and black lists and thresholds.


Even a suspicious binary file must interact with the operating system in order to perform its activity.

pestudio retrieves the libraries and the functions referenced. Several XML files are used to blacklist functions (e.g. Registry, Process, Thread, File, …). Blacklist files can be customized and extended according to your own needs. pestudio shows the intent and purpose of the application analyzed.


Resources sections are commonly used by malware to host payload.

pestudio detects many embedded file types (e.g. EXE, DLL, SYS, PDF, CAB, ZIP, JAR, …). Detected items can be saved to a file, allowing the possibility of further analysis.


The goal of pestudio is to allow investigators to analyse unknown and suspicious executable files.

For this purpose, pestudio can also produce an XML output report file documenting the executable file being analysed. The goal of this XML output Report file is the ability to be utilized by any third-party analysis tool.


pestudio runs from the Graphical User Interface (GUI) as well as from the Command prompt (CLI). Running pestudio from the prompt allows the analysis of executable file and the creation of the associated XML output files in a batch mode.

pestudio website:

Security Report Analysis: 2016 DBIR Report


In this Security Report Analysis (SRA) series I look at various security reports and pull out the main points.

This doesn’t replace a complete and detailed read of these reports, but at least you’ll get exposed to some of the key takeaways that you might not otherwise have seen.

REPORT: The 2016 DBIR Report

Key points

[ NOTE: These points are a combination of the report’s actual points combined with my own interpretation of them. Some of the analysis is not theirs, in other words. Don’t take this as me putting words in their mouths, but rather me trying to parse and interpret for my and your benefit. ]

  • Report covers 100,000 incidents, of which there were 3,141 data breaches
  • 64,199 incidents and 2,260 breaches made up the report statistics
  • They lack information to say mobile or IoT is killing us
  • 89% of breaches had a financial or espionage motive
  • Countries all over the world were compromised; geography is not safety
  • VERIS is the Vocabulary for Event Recording and Incident Sharing, and it allows an organization to record and share security events, incidents, and breaches
  • VERIS asks, “What threat actor took what action on what asset compromising what attribute?”, also known as the 4 A’s.
  • The vast majority of threat actors (around 80%) are external. There is very little collusion (around 2% ?), around 10% internal, and very little partner (~1%).
  • Less than 1/4 of companies detected issues in a few days or less
  • There were many web attacks against CMSs, especially due to plugins
  • Financial services was hit the most with data breaches last year with some 795 breaches, followed by the hospitality sector (282), information sector (194), public sector (193), retail (137), and healthcare (115)
  • Espionage is picking up as a reason for compromise, catching up to financial reasons (but still far behind)
  • Many attacks have secondary motives, like aiding another attack
  • Phishing is a major attack technique, which often leads to others
  • Discovery times went up, not down (bad)
  • The two rules of vulnerabilities still hold: attackers use old vulns, and attackers automate exploitation and spray it over the internet to get hits
  • Phishing was usually used to install persistent software (why else?)
  • People doing phishing are usually organized crime (89%) and state actors (9%)
  • Around 3% told management alerted someone to possibly being targeted
  • Credentials and trade secrets were the biggest targets
  • Verizon recommends segmentation and strong authentication to prevent additional compromise
  • 63% of data breaches invoved weak, default, or stolen passwords
  • Top three attacks were web app attacks, POS intrusions, and miscellaneous errors
  • There were interesting breakdowns of type of attack vs. vertical (see full report)
  • 95% of confirmed web attacks were financially motivated
  • Web shells were commonly used against ecommerce servers
  • POS attacks continue to yield credit card information
  • It’s getting harder for attackers to hit POS due to increased security
  • 97% of breaches using stolen credentials leveraged legitimate partner access
  • Privilege misuse often includes collusion between internal and external actors
  • You can’t protect your data if you don’t know where it resides
  • Unintentional actions go into miscellaneous errors, and the number of these is massive
  • Decomissioning security is a problem
  • In this year’s data, an asset is lost over 100 times more frequently than it is stolen
  • 70% of Payment card skimming incidents in our dataset can be blamed on criminal organizations
  • There is a dramatic decline in internal discovery and a corresponding increase in discovery by fraud detection
  • Cyber-espionage actors are predominantly state-affiliated groups. Competitors and nation states are also mixing it up
  • Phishing, as a leading action of cyber-espionage, provides a number of advantages—the time to compromise can be extremely quick and attackers can target specific people
  • 90% of Cyber-espionage breaches capture trade secrets or proprietary information
  • DoS attacks are either large in magnitude or they are long in duration, but typically not both
  • As DoS attacks continue to evolve, cloud service providers must have solutions in place to protect their infrastructure.
  • By far, the biggest source of incidents in this pattern is phishing attacks where not much else is known
  • Actions taken by the adversary are not exclusive to a single pattern
  • Having an understanding of how patterns complement each other can help direct your efforts as to what to prioritize your limited resources against
  • PCI breaches had a much higher median of documented record loss than PHI or PII
  • Legal guidance during the crisis management phase and forensics investigations is where the majority of the cash is going
  • There are seemingly endless types of stolen data available for sale from an equally endless variety of sources
  • Profiting from stolen card not-present (CNP) transactional data is similar to old school fencing of stolen goods
  • In cases of Privilege Misuse, employees have access to data and use it for their own gain or in collusion with criminals
  • Sellers of stolen cards began differentiating, basing their prices on geography or the validity rate of the cards

REPORT: The 2016 DBIR Report

Original Post:

Up ↑