Know about TeslaCrypt & Remove TeslaCrypt Ransomware

Protect-From-RansomwareIn recent years, we have seen an increasing number of PC users fall victim to ransomware that is illegally used by unscrupulous cyber hackers for ransom. It’s estimated there are more than 250,000 types of ransomware circling the web; while new versions are constantly being created. Many computer users, especially those who know little about ransomware, feel panic when their computers are suddenly infected by ransomware. And most of them would do what is required by the cyber criminals, namely paying the ransom. In this article, we will emphatically introduce an aggressive new type of ransomware called TeslaCrypt, hoping that our readers will have a better understanding of this threat and know how to react when unfortunately encountering this badware.

Main Content:

What Is Ransomware?
Brief Introduction of TeslaCrypt Ransomware
How Does Your PC Get Infected by TeslaCrypt Ransomware?
Should You Pay the Ransom?
How Can You Remove TeslaCrypt Ransomware?
Is It Possible to Restore the Files Encrypted without Paying the Ransom?
How to Stay Safe from Ransomware?

What Is Ransomware?

Ransomware-MalwareRansomware is a type of malware created to attack computers and extort money from the users. The average computer users and both large and small businesses can be victims of ransomware. It is believed that ransomware is initially prevalent in Russia, perhaps as early as the mid-2000s. But according to figures from Trend Micro, ransomware has moved out of its traditional Russian market and is starting to attack computers of users in other countries such as the US and Germany. Generally, ransomware can be classified as two types: one type is designed to lock the computer system, typically by setting the Windows Shell to itself, or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired. Notable examples are Reveton, and FBI Moneypak. The other type is created to encrypt files found on the victim’s computer by using strong cryptography. The most notorious examples are CryptoLocker, Cryptowall, and CryptoWall 4.0. Generally, after attacking a computer, the ransomware will display a message which requires the victim to pay the ransom within a limited time so as to regain access to the computer or files. However, whether the cyber criminals would keep their promises is not sure.

Brief Introduction of TeslaCrypt Ransomware

TeslaCrypt is a type of file-encrypting ransomware first spotted earlier this year. It is considered as a variant of CryptoLocker which encrypts all of the most important files on a victim’s PC and then demands payment via Bitcoin or MoneyPak. This ransomware targets all versions of Windows, including Windows XP, Windows Vista, Windows 7, and Windows 8.

According to a blog post, once the ransomware infects a computer, it performs the following:

1. Delete all system Volume Shadow Copies by executing “vssadmin.exe delete shadows /all /quiet” command.
2. Open the “key.dat” file and recover encryption keys. If “key.dat” file doesn’t exist, create the keys and store them in an encrypted form in the “key.dat” file.
3. Send the new master encryption key to the C&C server through POST request.
4. Implement anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes and if a process with a filename that contains any of the words below is found, that process is terminated using the TerminateProcess Windows API function

  • taskmgr
  • procexp
  • regedit
  • msconfig
  • cmd.exe

5. Scan the system for data files and encrypt them using symmetric AES encryption (but it claims to use RSA-2048 in the warning presented to the victim), so as to block the victim’s access to them.

Similar to other types of ransomware, TeslaCrypt encrypts various types of files such as images, Office documents, financial spreadsheets and tax returns. Yet there is an interesting new twist that it mainly targets gaming related files like images, documents, videos and app databases. One reason for this could be because most gamers who are dedicated to their games will value their data and should be willing to pay the ransom so as to get the data back. It has been reported that, this ransomware targets nearly 20 different online games, including some well-known games like World of Warcraft, DayZ, Call of Duty, Fallout, Diablo, and Minecraft – and could encrypt as many as 185 file extensions.

The following is a screenshot about file extensions targeted by the ransomware:

file extensions targeted by TeslaCrypt

Upon the encryption finishes, the ransomware will set a ransom note as the victim’s desktop wallpaper, and create another ransom note named “HELP_TO_DECRYPT_YOUR_FILES.txt” on the computer desktop. Then, it displays a warning window on the computer screen, telling the victim that his personal files are encrypted, and to decrypt files he needs to obtain the private key. The warning provides a link to a site on the Tor network which offers further instructions on how to pay for the private key.

The following is a screenshot of the warning window:

teslacrypt-warning-screen

If the victim clicks on the link in the warning window, he will be redirected to a site as below:

site-page-on-Tor-network

This site page not only offers the necessary information about the payment, but also provides the decryption service for the victim to test (only once for free), aiming to convince the victim that he can indeed get his files decrypted after making the payment. Besides, the page includes a message system that allows the victim to communicate privately with the ransomware developers. Smart as the TeslaCrypt developers, they have made adjustments not only in the type of the targeted files but also in the how-to-pay instruction, for the purpose of duping more people into paying the ransom.

How Does Your PC Get Infected by TeslaCrypt Ransomware?

Your computer may get infected by this ransomware when you visit a hacked website which runs an exploit kit. Cyber hackers install a piece of particular software called exploit kit in various websites in advance. When you browse these malicious sites, the exploit kit will exploit vulnerabilities found in programs on your PC and start installing the ransomware in your system. It has been known that these exploit kits are used to distribute TeslaCrypt ransomware: Angler Exploit Kit (EK), Nuclear EK, Fiesta EK and Sweet Orange EK. Generally, they exploit programs like Adobe Flash, Java, and Acrobat Reader, and some video players. So, it is vital that you keep the programs installed on your PC up-to-date and avoid visiting unfamiliar websites.

Another cause of the ransomware infection might be that you open an infected email attachment. Spam emails have been a common tool for cyber hackers to spread ransomware and other types of malware. TeslaCrypt gang may send a spam email that includes malicious attachment to you. That attachment looks like a normal text file, audio file, picture, or archive file, but actually it is executable file of the ransomware. Once the attachment is opened, the ransomware will be activated and get installed on your computer immediately. Therefore, please ignore spam email attachments, especially those with potentially unsafe file types.

Should You Pay the Ransom?

TeslaCrypt requires a payment of 1.5 Bitcoins (about 415 USD) or £400 (about 600USD), which is expensive for low-income groups. When being infected by this ransomware, you may encounter a question: pay or not pay? Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program, advised victims to pay the ransom when he addressed the Cyber Security Summit on October 21st. He said that paying the ransom is often the easiest path out of ransomware infections. Indeed, paying the ransom seems to be the only way to get your files back when you can’t do anything else. If losing those encrypted files will mean losing your job, then it is worthy paying a few hundred dollars to get them back. That is to say, it depends on the importance of your files. But if those files encrypted by the ransomware are not so vital for you, you can choose not to pay. On the one hand, you can’t 100% guarantee that whether the cyber hackers will keep their promise and allow you to get your files decrypted or not, or whether they will ask for a ransom from you next time. On the other hand, paying the money may encourage cyber hackers to continue their campaigns and hence more people will fall into victims of the ransomware.

How Can You Remove TeslaCrypt Ransomware?

If your computer has unfortunately got infected by TeslaCrypt, you can take two actions to try removing this threat. But note that these actions may not guarantee a success removal of the ransomware, since in different computers the degree of infection may vary.

Action 1: You can first start your computer into Safe Mode and then restore your system.

Action 2: Download and install SpyHunter to run a malware scan to detect and remove the ransomware.

Note: SpyHunter’s free version is only for malware detection. If you want to enjoy the malware removal and other services like malware blocking, daily updates, custom fixes to individual malware problems and free tech support, you need to upgrade it to the registered version.

Is It Possible to Restore the Files Encrypted without Paying the Ransom?

Generally, it is almost impossible to decrypt the files encrypted by this ransomware if you do not pay the ransom. But this doesn’t mean that there is no possibility for you to get your files back. According to Bleepingcomputer.com, there is a tool called TeslaDecoder that might be able to decrypt your files for free, but it is only restricted to decrypt files with .ECC and .EXX extensions.

If you have files with such extensions being encrypted, you can have a try by using this tool.

tesladecoder

TeslaDecoder can be downloaded from the following URL:

http://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip

A TeslaDecoder support topic can be found here:

http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt

Besides, there is another tool that might help decrypt the files. According to Talos Group, the ransomware is making use of symmetric AES encryption, rather than asymmetric RSA-2048 as it claims in the warning message presented to victims. So, it is possible that victims use the Talos TeslaCrypt Decryption Tool, which is a command line utility, to decrypt all the files encrypted by this ransomware. This tool needs the “key.dat” file to properly recover the master key used for file encryption. Before starting the execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.

Talos TeslaCrypt Decryption Tool
If you want to use this tool, please copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. Then, files should be decrypted and returned to their original content.

Link to the tool: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows

If the tools mentioned above are not helpful, then you can try the methods below to try to restore your files:

Method 1: Backups

If you have backup your files before being infected by this ransomware, you can try restoring them from a recent backup.

Method 2: Use File Recovery Software

When TeslaCrypt encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. So you can use file recovery software such as R-Studio or Photorec to possibly recover some of your original files.

Method 3: Use Shadow Volume Copies

You can also try restoring your files by using Shadow Volume Copies (this method works only when the ransomware doesn’t delete any Shadow Volume Copies on your PC). For more information on how to restore your files via Shadow Volume Copies, please see the link below:

http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information#shadow

How to Stay Safe from Ransomware?

TeslaCrypt spread either through spam email attachments or through infected websites. It is suggested that you use caution when receiving unexpected emails. Do not open the attached files nor click on links in the email message. Besides, please avoid visiting unsafe websites or clicking on suspicious pop-ups. In addition, regularly back up your important files. Make sure that you disconnect that backup drive from your computer, since ransomware might encrypt your backup files, too. Last but not least, download and install a powerful anti-malware program so as to protect your computer from ransomware infection. Several anti-malware programs are recommended: SpyHunter, Malwarebytes, and Max Spyware Detector. These tools have been proved to be effective in blocking, detecting and removing malware. Among of them, SpyHunter is the most recommended. Now you can download this program on your PC!

Downloadspy

 

Attention:

The following video offers a complete guide for TeslaCrypt ransomware removal. You’d better watch it in full-screen mode!

Share Button