Notes

History and Evolution of TeslaCrypt Ransomware Virus

TeslaCrypt is a ransomware program that encrypts files that targets all Windows versions, including Windows Vista, Windows XP and Windows 7. This program was released in the first time around the close of February 2015. TeslaCrypt infects your computer and searches for data files to encrypt.



As soon as all the data files on your computer are affected, an application will be displayed that gives details on how to retrieve your files. There is a link within the instructions to connect you to a TOR Decryption Service site. This site will provide information about the current ransom amount, the number of files have been encrypted, as well as how to pay so that your files can be released. The ransom amount typically starts at $500. It can be paid in Bitcoins. There is a unique Bitcoin address for each victim.



Once TeslaCrypt is installed on your computer, it creates an executable that is randomly labeled in the %AppData% folder. The executable is launched and scans your computer's drive letters looking for files to encrypt. It then adds an extension the name of any supported data file it discovers. The name is based on the version that affected your computer. With the release of new versions of TeslaCrypt, the program uses various file extensions to store the encrypted files. At present, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a chance that you could make use of the TeslaDecoder tool to decrypt your encrypted files at no charge. It is dependent on the version of TeslaCrypt is affected.
JOHN'S BLOG


TeslaCrypt searches for all drive letters on your computer in order to find files to encrypt. It can scan network shares, DropBox mappings and removable drives. However, it is only able to target the data files on network shares in the event that you have the share mapped as a drive letter on your computer. If you don't map the network share as a drive-letter, the ransomware will not encrypt the files on that network share. After scanning your computer, the ransomware will delete all Shadow Volume Copies. This is done to prevent you from restoring the affected files. The title of the program displayed after encryption of your computer indicates the ransomware's version.



How does your computer get infected with TeslaCrypt



TeslaCrypt infects computers if the user visits a hacked website with an exploit kit as well as outdated programs. Developers hack websites to distribute this malware. They install a special software program known as an exploit kit. This program aims to take an advantage of weaknesses in your computer's programs. Acrobat Reader and Java are just a couple of the programs with weaknesses. After the exploit kit has successfully exploited the vulnerabilities in your computer it automatically installs and starts TeslaCrypt.



It is therefore important to ensure that you Windows and other programs installed are up-to-date. This will safeguard your system from vulnerabilities that could cause infection by TeslaCrypt.



This ransomware was the first to target data files that are used by PC video games actively. It targets game files from games like MineCraft, Steam, World of Tanks, League of Legends and Half-life 2. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker, and many others. However, it has not been established whether games targets will result in increased profits for the developers of this malware.



Versions of TeslaCrypt and the file extensions that go with it.



TeslaCrypt is frequently updated to include new file extensions and encryption methods. The initial version encrypts files using the extension .ecc. The encrypted files, in this case are not associated with the data files. The TeslaDecoder can also be used to recover the original encryption key. If the keys used to decrypt were zeroed out, and an incomplete key was discovered in key.dat it's possible. It is also possible to find the Tesla request sent directly to the server with the decryption keys.



Another version is available with encrypted file extensions.ecc or.ezz. It is impossible to recover the original encryption key without the ransomware's authors' private key if the decryption was eliminated. The encrypted files can't be paired with the data files. The Tesla request can be sent to the server using the encryption key.



For the versions with an extension file names .ezz and .exx the original decryption key cannot be recovered without the authors' private key, if the decryption key was zeroed out. Files encrypted with the extension.exx are able to be linked with data files. You can also request a decryption key through the Tesla server.



Versions that have encrypted file extensions.ccc or.abc don't use data files. The decryption key cannot be stored on your computer. It is only decrypted when that the victim captures the key while it was being transmitted to the server. The key to decrypt can be retrieved from Tesla request to the server. This is not available for TeslaCrypt versions before v2.1.0.



TeslaCrypt 4.0 is now available



Recently, the authors released TeslaCrypt 4.0 sometime in March 2016. A brief analysis indicates that the latest version corrects a bug that had previously caused corruption of files larger than 4GB. It also contains new ransom notes and doesn't require encryption of files. It is difficult for users to learn about TeslaCryot or what happened to their files since there is no extension. The ransom notes will be used to create routes for victims. There isn't a lot of established ways to decrypt files without extension without a decryption key or Tesla's private key. The files can be decrypted if the victim has captured the key while it was being transmitted to the server during encryption.


Website: https://johnfladung.net/