Notes

The Evolution and History of TeslaCrypt Ransomware The Virus

TeslaCrypt is a ransomware program that encrypts files. program that is designed for all Windows versions, including Windows Vista, Windows XP, Windows 7 and Windows 8. The program was released for the first time towards the end of February 2015. After it has infected your computer, TeslaCrypt will search for data files and then encrypt them with AES encryption such that you will no longer be allowed to open them.



As soon as all the data files on your computer are infected, an application will be displayed with details on how to retrieve your files. There is a link in the instructions that will connect you to the TOR Decryption Services website. The site will provide you with information about the current ransom amount, the number of files are encrypted, and how to make payment so your files are released. The average ransom is $500. It is payable in Bitcoins. Each victim will have their own Bitcoin address.



Once TeslaCrypt is installed on your computer, it generates an executable that is randomly labeled in the %AppData% folder. The executable is launched, and it begins to look through your computer's drive letters for files to encrypt. If it finds a compatible data file the file is encrypted and adds an extension that is new to the name of the file. The name is based on the version that affected your computer. With the release of new versions of TeslaCrypt, the program uses different file extensions for encrypted files. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you could utilize the TeslaDecoder tool to decrypt your encrypted files at no cost. It is dependent on the version of TeslaCrypt is affected.



It is important to note that TeslaCrypt will look through all drive letters on your computer to locate files to secure. It can be used to encrypt network shares, DropBox mappings, and removable drives. However, it is only able to target data files on network shares when you have the network share assigned as an drive letter on your computer. The ransomware will not secure files on network shares if you don't have the network share mapped as a drive letter. After scanning your computer it will erase all Shadow Volume Copies. This is done to prevent you from restoring the affected files. The version of the ransomware is indicated by the application's title, which appears after encryption.



How TeslaCrypt infects your computer



TeslaCrypt can infect computers when the user goes to a hacker website that is equipped with an exploit kit and old programs. To spread this malware, hackers hack websites. An exploit kit is a software program that they install. This tool exploits vulnerabilities within the programs on your computer. Some of the programs that have vulnerabilities are typically exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit tool has successfully exploited the vulnerabilities on your computer it will automatically install and launch TeslaCrypt.



It is therefore important to ensure that your Windows and other programs installed are up-to-date. It will protect your system from security holes that could result in infection with TeslaCrypt.



This ransomware was the very first to actively attack data files that are utilized by PC video games. It targets game files for games like MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a handful of the many games it targets. However, it hasn't been determined if games targeting gamers increase the revenue of the malware creators.



Versions of TeslaCrypt, and the file extensions associated with it.



TeslaCrypt is constantly updated to include new file extensions and encryption methods. The first version encrypts files which have the extension.ecc. The encrypted files, in this case, are not paired with the data files. The TeslaDecoder can also be used to recover the original decryption key. If the keys used to decrypt were zeroed out and an incomplete key was discovered in key.dat it's possible. The key for decryption can be located in the Tesla request sent to the server.



Another version is available with encrypted file extensions.ecc or.ezz. The original decryption key without the private key of the authors of the ransomware in the event that the encryption was zeroed out. The encrypted files are not associated with the data file. The encryption key is derived from the Tesla request that is sent to the server.



The original keys to decrypt versions with extensions names.ezz or.exx names.ezz or.exx cannot be recovered without the authors private key. If the secret key for decryption was zeroed out, it will not be possible to retrieve the original key. Encrypted files that have the extension.exx can be joined with data files. Decryption key can also be obtained via the Tesla request to the server.



The version with encrypted file extensions .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the key to decrypt is not stored on your computer. It is only decrypted in the event the victim captured the key as it was being sent to the server. Decryption key can be retrieved from Tesla request to the server. This is not possible for TeslaCrypt versions before v2.1.0.
Just another wordpress site


TeslaCrypt 4.0 is now available



The authors have released TeslaCrypt4.0 in March of 2016. The latest version addresses an issue that caused damaged files that were larger than 4GB. The version also comes with new ransom notes and does not use an extension for encrypted files. It is difficult for users to learn about TeslaCryot or what happened to their files since there is no extension. The ransom notes are used to create pathways for victims. It is not possible to decrypt files without an extension without a purchased key or Tesla's personal key. The files can be decrypted if a victim captured the key as it was being sent to the server during encryption.


My Website: https://a1cdn.net/