TeslaCrypt ransomware response advisory

During a recent incident response case, Sera-Brynn identified the command and control servers for the newest variant of the TeslaCrypt malware. We recommend adding the below information as a DENY ALL statement to all firewalls.

Screen Shot 2016-02-25 at 2.42.14 PM

Hash for the original dropper malware: 47a29963a3f22a1b4dcf62da23ab208a

Hash for the payload file malware: 1326d09c506028ca58caac330e0a97ad

TeslaCrypt infections may happen when a user visits poisoned web sites, notably sites using WordPress, Joomla and others containing Adobe Flash video exploits. Other variants of this malware targets users with an email designed to look like an official US postal service communication.

We also recommend that you:

—Remind employees to disconnect from the network and follow incident response procedures if they suspect a compromise;

—Ensure all of your critical business data is backed up and a recent test restore confirms the data is recoverable in the event of an infection;

—Update and/or review your anti-spam configuration;

—Ensure that your Anti-Virus and Anti-Malware solution is up to date and definitions are up to date on all systems. This includes initiating a nightly scan of all systems for the next week or two as a precaution;

—Review access to your file shares and tighten file level security.

For incident response assistance, you can reach us at 757-243-1257 or urgent@sera-brynn.com.