User Description:
TeslaCrypt is an encryption program for files that targets all Windows versions including Windows Vista, Windows XP and Windows 7. This ransomware program was first released towards the end February 2015. TeslaCrypt can infect your computer and searches for data files to encode. When all your data files have been infected, an app will be displayed. It will provide information on how to recover them. The instructions will include the link to a TOR encryption service website. Minecraft servers will provide you with information on the current ransom amount, how many files have been encrypted, and how to pay so that your files can be released. The average ransom is $500. It is payable through Bitcoins. Each victim will have their own Bitcoin address. Once TeslaCrypt is installed on your computer, it will create an executable that is randomly labeled in the %AppData% folder. The executable is launched, and it begins to look through your computer's drive letters for files that need to be encrypted. It then adds an extension the name of the file and then encodes any supported data files it discovers. This name is derived from the variant that has affected your computer. The program now uses different extensions for files to encrypt encrypted files following the release of the latest versions of TeslaCrypt. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you can utilize the TeslaDecoder tool to decrypt your encrypted files for free of charge. It's dependent on which version of TeslaCrypt is affected. It is important to note that TeslaCrypt will search all drive letters on your computer to locate files to encrypt. It also includes network shares, DropBox mappings, and removable drives. However, it only targets data files on network shares if you have the share mapped as a drive letter on your computer. If you haven't yet mapped the network share as a drive letter the ransomware won't secure the files on that network share. After scanning your computer the ransomware will erase all Shadow Volume Copies. This is to prevent you from restoring damaged files. The title of the program displayed after the encryption of your computer is the ransomware's version. How does your computer get infected by TeslaCrypt TeslaCrypt is infected by computers when the user visits an untrusted website that runs an exploit kit and whose computer is running outdated software. To distribute this malware hackers hack websites. An exploit kit is a software program that they install. This program aims to take an advantage of vulnerabilities found in the software of your computer. Some of the programs that have vulnerabilities are usually exploited include Windows, Acrobat Reader, Adobe Flash and Java. After the exploit kit has successfully exploited the vulnerabilities on your computer it automatically installs and launches TeslaCrypt. You should, therefore, make sure that your Windows and other programs installed are up-to-date. This will help you avoid possible weaknesses that could result in infection of your computer with TeslaCrypt. The ransomware was the first to actively target data files that are used by PC video games. It targets game files from games like Steam, World of Tanks and League of Legends. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker and many more. It has, however, not been determined if the game's targets result in more revenue for developers of this malware. Versions of TeslaCrypt and associated file extensions TeslaCrypt is updated regularly to incorporate new encryption techniques and file extensions. The first version encrypts files with the extension .ecc. In this scenario, the encrypted files aren't paired with data files. The TeslaDecoder too can be used to recover the original decryption key. It is possible to do this if the key used to decrypt was zeroed out and a partial key found in key.dat. The decryption key can also be found the Tesla request that was sent to the server. There is a different version that comes with encrypted file extensions of .ecc and .ezz. If the decryption key was not zeroed out, it is impossible to recover the original key. The encrypted files are not associated with the data file. Decryption keys can be obtained from the Tesla request that was sent to the server. For the version with extension file names .ezz and .exx the original encryption key can't be recovered without the author's private key when the decryption keys was zeroed out. Encrypted files that have the extension.exx can be joined with data files. You can also request a decryption key through the Tesla server. The version that is encrypted with extensions for files .ccc, .abc, .aaa, .zzz and .xyz does not utilize data files, and the key to decrypt is not stored on your computer. It can only be decrypted when the victim is able to capture the key as it is being transmitted to an online server. You can retrieve the encryption key by contacting Tesla. This is not possible for TeslaCrypt versions prior to v2.1.0. TeslaCrypt 4.0 is now available The authors released TeslaCrypt4.0 sometime in March 2016. The latest version addresses a bug that damaged files that were larger than 4GB. The version also comes with new ransom notes, and does not utilize an extension to protect encrypted files. The absence of an extension makes it hard for users to discover about TeslaCryot and what has happened to their files. With the latest version, users will need to follow the paths outlined in the ransom notes. It is impossible to decrypt files with no extension without a key purchased or Tesla's personal key. If the attacker is able to capture the key while it was being sent to a server and the files are decrypted.
