Notes

The History and Evolution of TeslaCrypt Ransomware The Virus

TeslaCrypt is a file-encrypting ransomware program that is designed for all Windows versions, including Windows Vista, Windows XP, Windows 7 and Windows 8. The ransomware application was first introduced towards the end of February 2015. Once it infects your computer, TeslaCrypt will search for data files and encrypt them with AES encryption, so that you will not be allowed to open them.



After all your data files have been infected, a program will be displayed. It will provide information on how to recover the files. There is a hyperlink in the instructions that will connect you to the TOR Decryption Services website. This site will provide details of the current ransom amount and the number of files encrypted, and the method you can use to make payment so that your files are released. The ransom amount usually starts at $500. It is payable through Bitcoins. There is a unique Bitcoin address for each victim.



After TeslaCrypt has been installed on your computer it creates an executable that is randomly labeled within the folder named %AppData and %. The executable is launched and begins to scan your drive letters on your computer for files that need to be encrypted. It attaches an extension to the name of any supported data file it discovers. The name is determined by the version of the program that has affected your system. The program uses a variety of file extensions to encrypt encrypted files following the release of the latest versions of TeslaCrypt. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you could use the TeslaDecoder tool to decrypt your encrypted files free of charge. It is dependent on the version of TeslaCrypt is infected.



TeslaCrypt searches for all drive letters on your computer in order to locate files that can be encrypted. It includes network shares, DropBox mappings, and removable drives. However, it will only target data files on network shares when you have the network share assigned as a drive letter on your computer. If you don't map the network share as a drive-letter, the ransomware won't be able to encrypt the files on that network share. Once it has completed scanning your computer, it will erase all Shadow Volume Copies. The ransomware does this to prevent you from restoring affected files. The application title displayed after the encryption of your computer is the ransomware's version.



How your computer gets infected with TeslaCrypt



TeslaCrypt infects computers when the user visits an untrusted website running an exploit kit and whose computer is infected with outdated programs. To spread this malware hackers hack websites. They install a unique software program, referred to as an exploit kit. This tool exploits weaknesses in your computer's programs. Some of the programs with vulnerabilities are usually exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit has successfully exploited the vulnerabilities in your computer it will automatically install and launch TeslaCrypt.



Therefore, you should make sure that your Windows and other programs installed are up-to-date. It protects your system from weaknesses that could lead to infection with TeslaCrypt.



This ransomware was the first to actively target data files that are used by PC video games. It targets game files for games such as MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the games it targets. However, it has not been ascertained whether game targets mean increased revenue for developers of this malware.



Versions of TeslaCrypt and related extensions for files



TeslaCrypt is updated frequently to include new file extensions and encryption techniques. The first version encrypts files that have the extension .ecc. In this scenario, encrypted files aren't associated with data files. TeslaDecoder can also be used to recover the original encryption key. If the decryption keys were zeroed out, and an incomplete key was discovered in key.dat, it is possible. It is also possible to find the Tesla request directly to the server with the keys for decryption.



There is a different version that comes with encrypted extension of files like .ecc and .ezz. The original decryption key without having the ransomware's authors' private key when the decryption has been zeroed out. The encrypted files are also not linked to the data file. The encryption key can be downloaded from the Tesla request sent to the server.



For the version that has an extension file names .ezz and .exx, the original decryption key is not obtained without the authors' private key when the decryption keys was zeroed out. The encrypted files with the extension.exx can be joined with data files. You can also request a key for decryption from the Tesla server.



The version that is encrypted with extension of files .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the decryption key is not stored on your computer. It is only decrypted if the victim captures the key while it is being sent to an online server. You can retrieve the encryption key by calling Tesla. tecelana It is not possible to do this with versions after TeslaCrypt v2.1.0.



TeslaCrypt 4.0 is now available



Recently, the developers released TeslaCrypt 4.0 sometime in March 2016. A quick analysis shows that the new version corrects a bug that had previously caused corruption of files larger than 4GB. It also has new ransom notes and doesn't make use of an extension for encrypted files. It is difficult for users to learn about TeslaCryot or what occurred to their files as there is no extension. With the latest version, users will have to follow the paths outlined in the ransom notes. It is impossible to decrypt files without an extension without a purchased key or Tesla's personal key. The files can be decrypted if a victim has captured the key while it was transmitted to the server during encryption.


My Website: https://tecelana.com/