TeslaCrypt is a file-encrypting ransomware program designed for all Windows versions including Windows Vista, Windows XP, Windows 7 and Windows 8. The program was released in the first time around the February's end. TeslaCrypt can infect your computer and looks for data files to encrypt.
Once all data files on your computer have been infected, an application will be displayed that gives information on how to recover your files. The instructions will include the link to lead you to a TOR decryption service site. The site will provide details about the current ransom amount, the number of files that have been encrypted and how you can pay to ensure that your files are released. The ransom usually starts at $500. It can be paid in Bitcoins. There is a distinct Bitcoin address for each victim.
After TeslaCrypt is installed on your computer it will generate a randomly-labeled executable within the folder named %AppData and %. The executable is launched and examines your drive letters for files to encrypt. It adds an extension to the name of any supported data file it locates. The name is derived from the version that affected your computer. With the release of new versions of TeslaCrypt the program is using different file extensions for encrypted files. TeslaCrypt currently utilizes the following extensions for encrypted files:.cccc..abc..aaa..zzz..xyz. There is a possibility that you could make use of the TeslaDecoder tool to decrypt your encrypted files at no charge. It is dependent on the version of TeslaCrypt is infected.
It is important to note that TeslaCrypt will look through all drive letters on your computer to find files to encrypt. It also includes network shares, DropBox mappings, and removable drives. It only targets network shares ' data files in the event that the network share has been marked as a drive letter on your computer. The ransomware doesn't have the ability to encrypt files on network shares in the absence of a network share mapped as a drive letter. Once it has completed scanning your computer, it will erase all Shadow Volume Copies. This is done to prevent you from restoring the affected files. The version of the ransomware is identified by the title of the application that appears after encryption.
How does your computer get infected with TeslaCrypt
TeslaCrypt can infect computers when the user visits a hacked website with an exploit kit and old software. To spread this malware, hackers hack websites. An exploit kit is a software program that they install. This tool exploits weaknesses in your computer's programs. Some of the programs with vulnerabilities are typically exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit is successful in exploiting the weaknesses on your computer, it automatically installs and launches TeslaCrypt without your knowledge.
It is therefore important to ensure that your Windows and other installed programs are up-to-date. It protects you from possible security issues that could lead to infection of your system with TeslaCrypt.
This ransomware was the very first to actively attack data files used by PC video games. It targets game files from games like MineCraft, Steam, World of Tanks, League of Legends Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a handful of the many games it targets. However, it has not been established whether the game's targets result in more revenue for developers of this malware.
Versions of TeslaCrypt, and the file extensions that go with it.
TeslaCrypt is constantly updated to include new encryption methods and file extensions. The initial version encrypts files using the extension .ecc. In this scenario, the encrypted files aren't coupled with data files. TeslaDecoder can be used to retrieve the encryption key that was originally used. If the keys used to decrypt were zeroed out and the key was found to be partial in key.dat it is possible. The decryption key could be found in the Tesla request sent to the server.
There is a different version that comes with encrypted extension of files like .ecc and .ezz. If the encryption key was not zeroed out, one cannot recover the original key. The encrypted files are also not associated with the data file. The Tesla request can be transmitted to the server with the encryption key.
The original encryption keys for versions with extensions names.ezz or.exx names.ezz or.exx cannot be recovered without the authors private key. If the secret key for decryption was zeroed out, it will not be possible to retrieve the original key. Files encrypted with the extension .exx are linked to data files. Decryption keys can also be obtained from the Tesla request to the server.
The version that is encrypted with extension files such as .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the key to decrypt is not stored on your computer. It can only be decrypted when that the victim captures the key while it was being transmitted to the server. MINECRAFT-SERVERS.SBS Decryption key can be retrieved from Tesla request to the server. It is not possible to do this for versions that are older than TeslaCrypt v2.1.0.
TeslaCrypt 4.0 is now available
Recently, the authors released TeslaCrypt 4.0 sometime in March 2016. The new version fixes an issue that damaged files that were larger than 4GB. It also includes new ransom notes, and does not make use of an extension for encrypted files. The absence of an extension makes it difficult for users to learn about TeslaCryot and what changed to their files. With the latest version, victims will have to follow the paths outlined in the ransom notes. It is not possible to decrypt files with no extension without a purchased key or Tesla's personal key. If the victim takes the key as it was being sent to a server the files could be decrypted.
No comments yet