<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

TeslaCrypt 3.1? New Ransomware Strain Removes ShadowCopies via WMI

At the moment, Ransomware is the hot button issue for information security professionals world wide.

Malware authors are aware of this, and know that each minute their ransomware remains undetected can translate to thousands of dollars in ill-gotten gains.

For ransomware “flying under the radar” is a unique challenge.  Unlike Trojans which are “silent” by definition, ransomware actually notifies the intended victim of its’ infection. This narrows the gap between the time where the malware was first distributed to the point it has been recognized by major AV vendors to less than a day. The longer the gap is – the more successful the ransomware.

A New TeslaCrypt Strain

Cyber-criminals are always trying to stay one step ahead. For them it’s fairly easy to remain undetected by testing their new ransomware against existing security products offline.

The authors of TeslaCrypt 3.1 ransomware understood that the common ransomware action of deleting shadow copies by executing "vssadmin Delete Shadows /All /Quiet" draws the defenders' attention, and so they worked around that by using WMI.

Windows management instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), that has been abused by malware for at least 10 years. In this case it is used to achieve the same effect as the aforementioned technique which is already familiar to AV vendors but in a completely different manner. TeslaCrypt 3.1 executes the command "WMIC shadowcopy delete /nointeractive", and stays under the radar this way:

This nice little trick enabled this particular strain to avoid detection by major vendors as it was released this week. Furthermore, it appears that ransomware authors are widely adopting WMI usage, as the latest CryptoWall samples were spotted using it in order to download and execute its main payload.

Prevented by Minerva

As in previous cases, this strain of TeslaCrypt attempts to evade detection by avoiding specific security products. Minerva Anti-Evasion Platform causes it to halt the infection procedure entirely, thinking they are actually present. While other solutions will keep chasing new techniques like the one mentioned above, we prevent malware in a generic manner – oblivious to the new tricks it tries to employ.

Subscribe to Our Blog