TeslaCrypt is a ransomware program that encrypts files that targets all Windows versions, including Windows Vista, Windows XP and Windows 7. The program was released in the first time around the February's end. TeslaCrypt infects your computer and looks for encrypted data files.
When all your data files have been affected, an application will be displayed. It will give you information on how to recover the files. There is a hyperlink in the instructions that connects you to the TOR Decryption Services website. This site will give you information on the current ransom amount, the number of files that have been encrypted and how you can pay the ransom so that your files are released. The average ransom is $500. It is payable in Bitcoins. Each victim will have their own Bitcoin address.
After TeslaCrypt has been installed on your system, it will create a randomly-labeled executable within the folder %AppData in the folder %AppData%. The executable is launched and begins to search the drive letters of your computer for files that need to be encrypted. If it finds a compatible data file the file is encrypted and then adds an extension to the name of the file. This name is determined by the version of the program that has affected your system. The program now uses different extensions for files to encrypt encrypted files, with the release of new versions of TeslaCrypt. At present, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a chance that you can utilize the TeslaDecoder tool to decrypt your encrypted files at no charge. It is dependent on the version of TeslaCrypt is infected.
You should note that TeslaCrypt will scan all of the drive letters on your computer to find files to secure. It can scan network shares, DropBox mappings and removable drives. However, it will only target data files on network shares in the event that you have the network share assigned as an drive letter on your computer. The ransomware won't secure files on network shares in the absence of a network share marked as drive letter. Once it has completed scanning your PC, it will erase all Shadow Volume Copies. This is done to prevent you from restoring affected files. The version of the ransomware is identified by the title of the application that appears after encryption.
How can your computer be infected by TeslaCrypt
TeslaCrypt can infect computers when the user goes to a hacker website that is equipped with an exploit kit and outdated programs. Hackers hack websites to distribute this malware. An exploit kit is a special software program that they install. This tool exploits weaknesses in your computer's programs. Some of the programs that have vulnerabilities are commonly exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit has successfully exploited the vulnerabilities on your computer it automatically installs and starts TeslaCrypt.
It is crucial to ensure that Windows and other programs are all up-to current. This will help you avoid possible vulnerabilities that could lead to the infecting of your computer with TeslaCrypt.
This ransomware was the very first to actively target data files utilized by PC video games. It targets game files from games like Steam, World of Tanks and League of Legends. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker and many more. However, it's not been established if the game's targets result in increased revenue for the malware developers.
Versions of TeslaCrypt and the file extensions associated with it.
TeslaCrypt is regularly updated to include new encryption techniques and file extensions. The initial version encrypts files that have the extension.ecc. SYSTEM32 In this case the encrypted files aren't paired with data files. The TeslaDecoder may also be used to recover the encryption key that was originally used. If the keys used to decrypt were zeroed out, and a partial key was found in key.dat it is possible. The decryption key can also be found in the Tesla request to the server.
There is another version with encrypted file extensions of .ecc and .ezz. One cannot recover the original decryption key without the ransomware's authors' private key when the encryption was wiped out. The encrypted files cannot be coupled with the data files. The encryption key can be downloaded from the Tesla request sent to the server.
For the versions with an extension file names .ezz and .exx the original decryption key cannot be recovered without the authors' private key in the event that the decryption key was zeroed out. Encrypted files with the extension .exx are paired with data files. You can also request a key for decryption from the Tesla server.
The version that is encrypted with file extensions .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the encryption key is not stored on your computer. It can only be decrypted if the victim captures the key while it was being transmitted to the server. You can retrieve the decryption key by contacting Tesla. It is not possible to do this for versions that are older than TeslaCrypt v2.1.0.
TeslaCrypt 4.0 is now available
The authors have released TeslaCrypt4.0 sometime in March 2016. The latest version addresses a bug that affected files larger than 4GB that were corrupted. It also includes new ransom notes, and doesn't require encryption of files. It is difficult for users to learn about TeslaCryot or what occurred to their files as there is no extension. The ransom notes can be used to establish paths for victims. It is not possible to decrypt files without an extension without a purchased key or Tesla's personal key. If the victim takes the key as it was being transmitted to a server the files could be decrypted.