TastyLock Ransomware – A Closer Look

We hope that you took some downtime over the last few weeks. Unfortunately, ransomware campaigns did no such thing. Let’s take a look at one of the nastier variants we have seen lately: TastyLock.

TastyLock: Technical Details

TastyLock is not an entirely new breed of ransomware. Instead, it appears to be part of the CryptoMix/CryptoWall family tree. Like CryptoMix/CryptoWall, TastyLock encrypts files on victim machines using AES in CBC mode with a random 256-bit key. The ransomware then changes the filetype/extension to “.tastylock”, before displaying the victim a text file ransom note called “_HELP_INSTRUCTION.txt”.

When all of these factors are taken together, you shouldn’t expect to see a decryptor available for this particular variant.

TastyLock Ransom note.
TastyLock Ransom note.

Communications and Network Behavior

Like many other pieces of ransomware, TastyLock tells victims to email them a specific code (shown above). We’ve heard that the malware authors were originally requesting one Bitcoin (roughly $16,000 on Jan 1, 2018) for the decryption keys.

Even if you decide to pay the ransom to get your files back (and we hope you don’t need to consider that because you’re running CryptoDrop – see our results below), you’re unlikely to be able to actually do so. While the aol.com email address used by the attackers still seems to be receiving email, none of our requests were responded to by the authors. That means that while the ransomware is still lurking out there (we’re seeing it in a small number of our sensors), no payment will get your files back.

How Did CryptoDrop Do?

As always, we ran this sample of ransomware against CryptoDrop. TastyLock wasted no time trying to encrypt our files, but it was no match for our software. We had no difficulty detecting the attempts to encrypt files, and put the system into lockdown mode.

CryptoDrop stops TastyLock

TastyLock aggressively attempts to kill Windows Defender, making any new versions of this ransomware particularly dangerous. Better to protect yourself against this variant than to just hope it simply goes away.

CryptoMix/CryptoWall has been around for quite some time, and is one of the more successful campaigns. While we do not expect many people to be hit by this particular variant, it is safe to bet that new variants will be seen in the near future. Not to worry though – CryptoDrop will protect you against those, too.

Still not running CryptoDrop? Give us a shot – we’ve stopped every piece of ransomware that we and independent lab AV-Test has thrown at us. When traditional anti-virus products fail (or are attacked, like we saw here), CryptoDrop gives you an extra layer of protection. Try out our Free version today, and use our Fast Recovery version to restore any lost files and get back in business in seconds.

We Stop Ransomware!