I thought about ignoring this one and letting it slide, but it’s too priceless, too typically Microsoft, not to pass on. It seems that Redmond has been inadvertently infecting Windows computers with ransomware through its MSN website. Not to worry, however. The company is happy to hand you a tool to remove the malware, which is akin to locking the door after the horse is gone, as your files will by then be locked up tighter than a waterproof safe.
The news came yesterday, via ZDNet, that Microsoft has “upgraded its malicious software removal tool to tackle TeslaCrypt, or Tescrypt as it calls it.”
TeslaCrypt, a ransomware trojan, became big news early this year when it was found to be targeting computers with a variety of computer games installed. The malware evidently looks for file extensions associated with 40 or so games and encrypts them. The list of games infected includes such popular titles as Call of Duty, World of Warcraft, Minecraft and World of Tanks. From there, the scenario is all too familiar. To unencrypt, users must pay up — the going price is the equivalent of $500 in Bitcoins — to receive the decrypt key.
While media mainly focused on the gaming aspect of TeslaCrypt, lulling non-gaming Windows users in to a false sense of security, it appears that the trojan also targets financial and tax software.
Ho hum. Life as usual in the Windows world, eh?
Trouble is, Microsoft began to notice a major uptick in detections of TelsaCrypt in late August, with the numbers rising from less than 1,000 detections daily to more than 3,500. This coincided with a report from the security company Malwarebytes, which detailed on August 27 a major ad based malware campaign using major news websites — including MSN.com — as drive-by delivery platforms.
Initially, unencrypting files locked by TelsaCrypt was pretty straightforward. Early versions of the malware stored the encryption key on the victim’s computer in plain text, prompting Cisco to develop and release the Talos TeslaCrypt Decryption Tool that victims could use to set things right. However, in July, Kaspersky reported that TeslaCrypt version 2.0, which now identifies itself to victims as CryptoWall, stores the encryption key in a binary blob stored in the registry, “which means that it is currently impossible to decrypt files affected by TeslaCrypt.”
As a Linux user, the thought of Microsoft infecting Windows computers through its own news site would be a rather amusing episode from the files of the Keystone Cops, if not for the hapless victims who now find important financial and tax records unreachable. As it is, it’s a reminder to all of us, even if we run Linux, BSD or some other “safe” operating system, to back up our files and back them up often.