TeslaCrypt is a ransomware program that encrypts files. program intended for all Windows versions including Windows Vista, Windows XP, Windows 7 and Windows 8. This ransomware program was first released towards the end February 2015. Once it infects your computer, TeslaCrypt will search for data files and then encrypt them with AES encryption such that you will no longer be able to open them.
Once all data files on your computer have been infected, an application will be displayed that gives information on how to recover your files. The instructions will include an link that will lead you to a TOR encryption service website. This site will provide details about the current ransom amount, how many files have been encrypted, and how to pay so that your files can be released. The ransom usually starts at $500. It is payable in Bitcoins. There is a different Bitcoin address for each victim.
Once TeslaCrypt is installed on your computer, it creates an executable with a random label within the %AppData% folder. The executable is launched and begins to search your computer's drive letters for files that need to be encrypted. If it discovers a supported data file the file is encrypted and then adds a new extension to the name of the file. This name is based on the version that is affecting your computer. With the introduction of new versions of TeslaCrypt, the program uses various file extensions to store the encrypted files. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you could utilize the TeslaDecoder tool to decrypt your encrypted files for free of cost. It's dependent on which version of TeslaCrypt is affected.
It is important to note that TeslaCrypt will search all drive letters on your computer to find files to encrypt. It also includes network shares, DropBox mappings, and removable drives. It only targets network shares data files when the network share is mapped as a drive letters on your computer. The ransomware doesn't have the ability to secure files on network shares even if you don't have the network share mapped as drive letter. Once it is done scanning your computer, it will erase all Shadow Volume Copies. The ransomware will do this to prevent you from restoring the affected files. The version of the ransomware is indicated by the title of the application that appears after encryption.
How your computer gets infected by TeslaCrypt
TeslaCrypt is a computer virus that can be infected when the user visits an untrusted website running an exploit kit and whose system is running outdated software. Hackers hack websites to distribute the malware. They install a unique software program, referred to as an exploit kit. This tool exploits vulnerabilities in the programs on your computer. Some of the programs with vulnerabilities are commonly exploited are Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit has successfully exploited the vulnerabilities in your computer it automatically installs and launches TeslaCrypt.
It is crucial to ensure that Windows and all other programs are up to date. It will protect your computer from vulnerabilities that could cause infection by TeslaCrypt.
This ransom ware was the first of its kind to target data files that are used by PC video games. It targets game files from games such as MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the games it targets. However, it hasn't been determined if games targeting gamers lead to increased revenue for the malware creators.
Versions of TeslaCrypt, and the file extensions that go with it.
TeslaCrypt is updated regularly to incorporate new encryption techniques and file extensions. The initial version encrypts files using the extension .ecc. In this instance, the encrypted files aren't coupled with data files. The TeslaDecoder too can be used to retrieve the original encryption key. If the keys used to decrypt were zeroed out and the key was found to be partial in key.dat, it is possible. The decryption key can also be found the Tesla request sent to the server.
There is a different version that comes with encrypted file extensions of .ecc and .ezz. It is impossible to recover the original encryption key without the private key of the authors of the ransomware if the decryption was eliminated. MINECRAFTSERVERS The encrypted files are also not associated with the data file. The encryption key is derived from the Tesla request sent to the server.
The original keys to decrypt versions with extensions names.ezz or.exx names.ezz or.exx cannot be recovered without the authors private key. If the secret key for decryption was zeroed out, it won't be possible to recover the original key. The encrypted files with the extension.exx are able to be linked with data files. The encryption key can also be got from the Tesla request to the server.
Versions with encrypted files with extensions.ccc or.abc do not use data files. The decryption key cannot be stored on your system. It is only decrypted in the event the victim captured the key as it was being transmitted to the server. You can retrieve the decryption key by contacting Tesla. It is not possible to do this for versions after TeslaCrypt v2.1.0.
The release of TeslaCrypt 4.0
The authors released TeslaCrypt4.0 sometime in March 2016. The latest version addresses a bug that affected files larger than 4GB that were corrupted. It also includes new ransom notes and doesn't use an extension for encrypted files. The absence of an extension makes it hard for users to learn about TeslaCryot and what has happened to their files. The ransom notes will be used to create routes for victims. There are no established methods to decrypt files with no extension without a decryption key or Tesla's private key. If the attacker takes the key as it was being transmitted to servers the files could be decrypted.