Notes

History And Evolution Of TeslaCrypt Ransomware Virus

TeslaCrypt is a file-encrypting ransomware program that is designed for all Windows versions, including Windows Vista, Windows XP, Windows 7 and Windows 8. This ransomware application was first released at the end of February 2015. When Nomad is infected on your PC, TeslaCrypt will search for data files and then encrypt them with AES encryption, so that you won't be allowed to open them.



When all data files on your computer have been infected, a program will be displayed that gives information on how to recover your files. There is a link within the instructions that will connect you to the TOR Decryption Service website. This site will give you information on the current ransom amount, the number of files are encrypted, and how to pay so that your files are released. The ransom amount usually starts at $500. It is payable in Bitcoins. Each victim will have their own Bitcoin address.



After TeslaCrypt is installed on your system, it will create an executable with a random label within the folder named %AppData and %. The executable starts and examines your computer's drive letters for files that can be encrypted. When it detects a supported data file it encrypts it and attaches an extension to the name of the file. This name is determined by the version that affected your system. The program uses a variety of extensions for files to encrypt encrypted files, with the release of new versions of TeslaCrypt. TeslaCrypt currently utilizes the following extensions for encrypted files:.cccc..abc..aaa..zzz..xyz. There is a possibility that you can make use of the TeslaDecoder tool to decrypt your encrypted files at no charge. It's dependent on which version of TeslaCrypt is affected.



You should note that TeslaCrypt will scan all of the drive letters on your computer to find files to encode. It includes network shares, DropBox mappings, and removable drives. It only targets network shares ' data files in the event that the network share has been mapped as a drive letters on your computer. The ransomware won't secure files on network shares even if you don't have the network share mapped as drive letter. After it has finished scanning your computer, it will delete all Shadow Volume Copies. This is to prevent you from restoring damaged files. The ransomware's version is indicated by the application title that appears after encryption.



How TeslaCrypt affects your computer



TeslaCrypt is a computer virus that can be infected if the user visits a hacked site with an exploit kit and old programs. Hackers hack websites to distribute the malware. An exploit kit is a software program that they install. This kit seeks to exploit vulnerabilities found in your computer's programs. Some of the programs whose vulnerabilities are commonly exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit has successfully exploited the vulnerabilities in your computer it will automatically install and launch TeslaCrypt.



It is important to ensure that Windows and other programs are all up-to date. It will protect you from possible weaknesses that could result in infection of your computer with TeslaCrypt.



This ransomware was the first to actively attack data files that are used by PC video games. It targets game files of games like Steam, World of Tanks and League of Legends. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a handful of the games it targets. However, it has not been ascertained whether game targets mean increased profits for the developers of this malware.



Versions of TeslaCrypt and the associated file extensions



TeslaCrypt is updated regularly to incorporate new file extensions and encryption techniques. The first version encrypts files that have the extension .ecc. The encrypted files, in this case are not linked to the data files. The TeslaDecoder can also be used to recover the encryption key that was originally used. If the decryption keys were zeroed out, and a partial key was found in key.dat it's possible. It is also possible to find the Tesla request that was sent directly to the server with the keys for decryption.



Another version is available with encrypted file extensions.ecc or.ezz. If the encryption key was not zeroed out, one is unable to recover the original key. The encrypted files are not paired with the data file. The Tesla request can be sent to the server with the encryption key.



The original encryption keys for the versions with extensions file names.ezz or.exx cannot be recovered without the authors private key. If the decryption secret key was zeroed out, it won't be possible to retrieve the keys used to decrypt. Encrypted files that have the extension.exx can be paired with data files. Decryption key can also be got from the Tesla request to the server.



Versions that have encrypted file extensions.ccc.,.abc..aaa..zzz, and.xyz do not use data files. The key to decrypt cannot be stored on your computer. It is only decrypted in the event the victim captured the key in the process of being sent to the server. Decryption key can be retrieved from Tesla request to the server. It is not possible to do this with versions prior to TeslaCrypt v2.1.0.



TeslaCrypt 4.0 is now available



The authors released TeslaCrypt4.0 sometime in March 2016. A brief analysis shows that the new version corrects a bug that had previously caused corruption of files larger than 4GB. It also has new ransom notes and doesn't use an extension for encrypted files. It is difficult for users to find out about TeslaCryot or what occurred to their files as there is no extension. The ransom notes will be used to create routes for victims. There are little established ways to decrypt files without extension without a purchased decryption keys or Tesla's private key. The files could be decrypted in the event that the victim took the key as it was sent to the server during encryption.


Homepage: https://nomad.so/