TeslaCrypt is a ransomware that encrypts files. It is a program that is designed for all Windows versions, including Windows Vista, Windows XP, Windows 7 and Windows 8. This ransomware program was first released towards the end February 2015. TeslaCrypt infects your computer and searches for data files to encode.
After all your data files are affected, an application will be displayed. It will provide information about how to retrieve them. The instructions will include a link that connects to a TOR decryption service site. https://minecraft-servers.biz/ will give you information on the current ransom amount, the number of files that have been encrypted and how you can pay the ransom so that your files are released. The average ransom is $500. It is paid in Bitcoins. Each victim will have a unique Bitcoin address.
Once TeslaCrypt is installed on your computer, it creates an executable that is randomly labeled in the %AppData% folder. The executable is launched and begins to search your drive letters on your computer for files that need to be encrypted. It attaches an extension to the name of the file and then encodes any supported data files it finds. This name is derived from the version that affected your computer. With the release of new variants of TeslaCrypt it uses different file extensions for encrypted files. TeslaCrypt currently employs the following extensions to encrypted files:.cccc..abc..aaa..zzz..xyz. You can utilize TeslaDecoder to decrypt encrypted files for no cost. It obviously depends on the version of TeslaCrypt that is infected with your files.
It is important to note that TeslaCrypt will look through all drive letters on your computer to find files to encrypt. It can scan network shares, DropBox mappings and removable drives. However, it only targets the data files on network shares when you have the share marked as a drive letter on your computer. If you don't have mapped the network share as a drive-letter, the ransomware won't be able to encrypt the files on that network share. After scanning your computer it will delete all Shadow Volume Copies. This is done to prevent you from restoring the affected files. The ransomware's version is indicated by the application title that appears after encryption.
How your computer gets infected with TeslaCrypt
TeslaCrypt infects computers if the user goes to a hacker site that has an exploit kit as well as outdated software. Developers hack websites to distribute this malware. They install a specific software program dubbed an exploit kit. This tool exploits weaknesses in your computer's programs. Acrobat Reader and Java are just a couple of the programs that have vulnerabilities. Once the exploit kit has successfully exploited the vulnerabilities on your computer, it automatically installs and starts TeslaCrypt.
It is therefore important to make sure that your Windows and other installed programs are up-to-date. This will safeguard your system from weaknesses that could lead to infection with TeslaCrypt.
This ransomware was the first to actively target data files used by PC video games. It targets game files for games such as MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the many games it targets. It has, however, not been ascertained whether games targets will result in increased profits for the developers of this malware.
Versions of TeslaCrypt and the associated file extensions
TeslaCrypt is constantly updated to include new file extensions and encryption methods. The first version encrypts files that have the extension.ecc. The encrypted files, in this instance are not associated with the data files. The TeslaDecoder may also be used to recover the original encryption key. If the decryption keys were zeroed out, and an incomplete key was discovered in key.dat it's possible. It is also possible to find the Tesla request directly to the server, along with the keys for decryption.
Another version is available with encrypted file extensions.ecc or.ezz. The original decryption key without having the ransomware's authors' private key in the event that the encryption was zeroed out. The encrypted files cannot be joined with the data files. Decryption key can be git from the Tesla request sent to the server.
The original encryption keys for the versions with extensions file names.ezz or.exx cannot be recovered without the authors private key. If the secret key for decryption was zeroed out, it will not be possible to retrieve the keys used to decrypt. Encrypted files that have the extension.exx are able to be linked with data files. You can also request a decryption key from the Tesla server.
The version that is encrypted with file extensions .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the encryption key is not stored on your computer. It can only be decrypted if the victim captures the key while it was being transmitted to a server. The key to decrypt can be retrieved from Tesla request to the server. This is not available for TeslaCrypt versions before v2.1.0.
Release of TeslaCrypt 4.0
Recently, the developers released TeslaCrypt 4.0 in March of 2016. The new version has been updated to fix a bug that corrupted files larger than 4GB. It also contains new ransom notes and does not require encryption files to be encrypted. It is difficult for users to learn about TeslaCryot or what occurred to their files as there is no extension. The ransom notes will be used to create paths for victims. It is impossible to decrypt files without an extension without a purchased key or Tesla's personal key. The files could be decrypted in the event that the victim took the key as it was being sent to the server during encryption.
Log in to comment