Notes

The History And Development Of TeslaCrypt Ransomware Virus

TeslaCrypt is an encryption program for files that targets all Windows versions including Windows Vista, Windows XP and Windows 7. The program was launched for the first time at the close of February 2015. TeslaCrypt can infect your computer and searches for data files to encrypt.



When all files that contain data on your computer are infected, an application will be displayed that provides details on how to retrieve your files. The instructions will contain a link that connects to a decryption service TOR website. The site will provide you with information on the current ransom amount, how many files have been encrypted, as well as how to pay so that your files are released. The ransom amount typically starts at $500. It can be paid in Bitcoins. There is a different Bitcoin address for each victim.



After TeslaCrypt is installed on your system, it will create a randomly-labeled executable in the folder named %AppData and %. The executable is launched, and it begins to search your computer's drive letters for files to encrypt. When it detects a supported data file it encrypts it and attaches an extension that is new to the file's name. This name is determined by the version of the program that has affected your computer. The program now uses different file extensions to encrypt encrypted files with the release of the latest versions of TeslaCrypt. At present, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you can use the TeslaDecoder tool to decrypt your encrypted files at no charge. It's dependent on which version of TeslaCrypt is infected.



TeslaCrypt searches for all drive letters on your computer to locate files that can be encrypted. It can scan network shares, DropBox mappings and removable drives. Just Say Yes It only targets network shares ' data files if the network share is mapped as a drive letters on your computer. If you haven't mapped the network share as a drive letter the ransomware will not encode the files on the network share. After it has finished scanning your computer, it will delete all Shadow Volume Copies. The ransomware will do this to prevent you from restoring the affected files. The version of the ransomware is indicated by the title of the application that appears after encryption.



How TeslaCrypt is able to infect your computer



TeslaCrypt infects computers when a user browses an untrusted website that runs an exploit kit and whose system has outdated programs. To spread this malware hackers hack websites. An exploit kit is a special software program that they install. This tool exploits weaknesses within your computer's programs. Some of the programs with vulnerabilities are usually exploited include Windows, Acrobat Reader, Adobe Flash and Java. If the exploit tool succeeds in exploiting weaknesses on your computer, it then installs and starts TeslaCrypt without your knowledge.



It is important to ensure that Windows and other programs are all up-to current. It protects your computer from potential weaknesses that could lead to infection by TeslaCrypt.



This ransom ware was the first to target data files that are used by PC video games in a proactive manner. It targets game files from games like Steam, World of Tanks and League of Legends. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker, and many others. It has, however, not been ascertained whether games targets will result in increased revenue for developers of this malware.



Versions of TeslaCrypt and related file extensions



TeslaCrypt is updated regularly to include new encryption techniques and file extensions. The first version encrypts files that contain the extension.ecc. The encrypted files, in this case, are not paired with the data files. The TeslaDecoder too can be used to recover the original encryption key. It's possible if the key used to decrypt was zeroed out, and a partial key was discovered in key.dat. It is also possible to find the Tesla request sent directly to the server along with the decryption keys.



There is a different version that comes with encrypted file extensions of .ecc and .ezz. If the encryption key was not zeroed out, it is impossible to find the original key. The encrypted files can't be coupled with the data files. The encryption key can be downloaded from the Tesla request that was sent to the server.



For the versions with an extension file name .ezz and .exx, the original decryption key cannot be recovered without the author's private key, if the decryption key was zeroed out. Files encrypted with the extension.exx are able to be linked with data files. The encryption key can also be obtained via the Tesla request to the server.



Versions with encrypted file extensions.ccc.,.abc..aaa..zzz, and.xyz do not make use of data files. The decryption key cannot be saved on your computer. It can only be decrypted if the victim records the key while it was being sent to a server. The key to decrypt can be retrieved from Tesla request to the server. This is not possible for TeslaCrypt versions prior to v2.1.0.



The release of TeslaCrypt 4.0



The authors recently released TeslaCrypt4.0 sometime in March 2016. A quick analysis shows that the latest version has fixed a flaw that previously corrupted files bigger than 4GB. The version also comes with new ransom notes and does not utilize an extension to protect encrypted files. The absence of an extension makes it difficult for users to learn the existence of TeslaCryot and what happened to their files. With the new version, victims will need to follow the path outlined in the ransom notes. There are little established ways to decrypt files without extension without a purchased decryption key or Tesla's personal key. If the victim is able to capture the key while it was being transmitted to an online server the files could be decrypted.


Here's my website: https://jho88.com/