Notes

History and Evolution of TeslaCrypt Ransomware Virus

TeslaCrypt is a ransomware that encrypts files. It is a program designed for all Windows versions, including Windows Vista, Windows XP, Windows 7 and Windows 8. This program was released in the first time around the close of February 2015. When it is infected on your PC, TeslaCrypt will search for data files and then encrypt them with AES encryption such that you won't be able to open them.



Once all your data files are affected, an application will be displayed. It will provide information on how to recover the files. The instructions will contain the link to take you to a TOR decryption service site. The site will provide details of the current ransom amount as well as the number of files that have been encrypted and how you can pay the ransom so that your files are released. The ransom usually starts at $500. It is payable in Bitcoins. There is a distinct Bitcoin address for each victim.



Once TeslaCrypt is installed on your computer, it will create an executable with a random label in the %AppData% folder. The executable starts and examines your drive letters for files to encrypt. It then adds an extension the name of any supported data file it discovers. This name is based on the version that affected your computer. The program is now using different extensions of files to decrypt encrypted files following the release of new versions of TeslaCrypt. At present, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a chance that you can use the TeslaDecoder tool to decrypt your encrypted files free of cost. It's dependent on which version of TeslaCrypt is infected.



TeslaCrypt searches for all drive letters on your computer to find files that need to be encrypted. It can scan network shares, DropBox mappings and removable drives. However, it is only able to target data files on network shares if you have the share marked as a drive letter on your computer. The ransomware won't encode files on network shares in the absence of a network share mapped as drive letter. Once it is done scanning your computer, it will erase all Shadow Volume Copies. The ransomware will do this to prevent you from restoring affected files. The title of the program displayed after the encryption of your PC shows the version of the ransomware.



How does your computer get infected with TeslaCrypt



TeslaCrypt infects computers if the user visits a hacked site that has an exploit kit and outdated programs. Hackers hack websites to distribute this malware. They install a unique software program dubbed an exploit kit. This tool exploits vulnerabilities in the programs on your computer. Some of the programs with vulnerabilities are typically exploited include Windows, Acrobat Reader, Adobe Flash and Java. If the exploit tool succeeds in exploiting the vulnerabilities on your computer, it automatically installs and launches TeslaCrypt without your knowledge.



You should, therefore, ensure that you Windows and other programs installed are up-to-date. This will help you avoid potential weaknesses that could result in infection of your computer with TeslaCrypt.



The ransomware was the first to actively target data files utilized by PC video games. It targets game files from games like MineCraft, Steam, World of Tanks, League of Legends and Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the games it targets. However, it hasn't been determined if games targeting gamers result in increased revenue for the malware developers.



Versions of TeslaCrypt and the associated file extensions



TeslaCrypt is constantly updated to incorporate new encryption methods and file extensions. The first version encrypts files with the extension .ecc. In this instance encrypted files aren't associated with data files. The TeslaDecoder can also be used to recover the original encryption key. It's possible if the decryption key was zeroed out, and a partial key was found in key.dat. It is also possible to find the Tesla request directly to the server with the decryption keys.



Another version is available with encrypted file extensions.ecc or.ezz. If the encryption key was not zeroed out, one is unable to recover the original key. The encrypted files are also not associated with the data file. The Tesla request can be sent to the server with the decryption key.



For the version that has an extension file names .ezz and .exx the original decryption key cannot be recovered without the authors' private key in the event that the decryption key was zeroed out. Files encrypted with the extension .exx are associated with data files. You can also request a key for decryption from the Tesla server.



The version with encrypted extension of files .ccc, .abc, .aaa, .zzz and .xyz does not use data files and the decryption key is not stored on your computer. It can only be decrypted if the victim records the key as it is being transmitted to the server. You can get the decryption key by contacting Tesla. It is not possible to do this with versions prior to TeslaCrypt v2.1.0.



TeslaCrypt 4.0 is now available



Recently, the developers released TeslaCrypt 4.0 sometime in March 2016. A brief analysis indicates that the latest version has fixed a flaw that previously corrupted files bigger than 4GB. It also includes new ransom notes, and does not utilize an extension to protect encrypted files. It is difficult for users to find out about TeslaCryot or what happened to their files because there is no extension. Ejac.org The ransom notes are used to create routes for victims. There are no established methods to decrypt files with no extension without a purchased decryption keys or Tesla's private key. If the attacker captures the key while it was being transmitted to a server, the files can be decrypted.


Here's my website: https://ejac.org/