Notes

History and Evolution of TeslaCrypt Ransomware Virus

TeslaCrypt is a ransomware program that encrypts files that targets all Windows versions, including Windows Vista, Windows XP and Windows 7. The ransomware program first released towards the end February 2015. TeslaCrypt infects your computer and search for encrypted data files.



After all your data files are affected, an application will be displayed. It will provide details about how to recover them. There is a link within the instructions that will connect you to the TOR Decryption Service website. This site will provide details of the current ransom amount as well as the number of files encrypted and how you can pay the ransom so that your files can be released. The average ransom is at $500. It is payable in Bitcoins. Each victim will have their own Bitcoin address.



After TeslaCrypt is installed on your computer it will create an executable with a random label within the folder named %AppData and %. The executable is launched and starts to scan your drive letters on your computer for files to encrypt. It attaches an extension to the name of any supported data file it finds. This name is determined by the version that has affected your computer. With the introduction of new versions of TeslaCrypt the program is using different file extensions for the encrypted files. TeslaCrypt currently uses the following extensions for encrypted files:.cccc..abc..aaa..zzz..xyz. There is a possibility that you could utilize the TeslaDecoder tool to decrypt your encrypted files for free of cost. It depends on which version of TeslaCrypt is infected.



TeslaCrypt scans every drive letter on your computer to find files that need to be encrypted. It can scan network shares, DropBox mappings and removable drives. It only targets network shares ' data files when the network share is identified as a drive letter on your computer. The ransomware doesn't have the ability to secure files on network shares if you don't have the network share mapped as a drive letter. Once it is done scanning your computer, it will erase all Shadow Volume Copies. This is done to prevent you from restoring damaged files. The ransomware's version is indicated by the application's title, which appears after encryption.
Lion's roar


How your computer gets infected by TeslaCrypt



TeslaCrypt infects computers if the user visits a hacked website with an exploit kit and outdated programs. Hackers hack websites to distribute the malware. An exploit kit is a special software program that they install. This kit seeks to take an advantage of weaknesses that are present in your computer's programs. Acrobat Reader and Java are just a few of the programs that have vulnerabilities. Once the exploit kit succeeds in exploiting the weaknesses on your computer, it then installs and starts TeslaCrypt without your knowledge.



It is important to ensure that Windows and all other programs are up to date. This will safeguard your computer from potential weaknesses that could lead to infection with TeslaCrypt.



This ransomware was the very first to actively attack data files used by PC video games. It targets game files from games like MineCraft, Steam, World of Tanks, League of Legends and Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a handful of the many games it targets. It has, however, not been ascertained whether the game's targets result in more revenue for developers of this malware.



Versions of TeslaCrypt and the associated file extensions



TeslaCrypt is updated frequently to include new encryption techniques and file extensions. The first version encrypts files that have the extension .ecc. In this scenario encrypted files aren't associated with data files. The TeslaDecoder can also be used to recover the encryption key that was originally used. If the decryption keys were zeroed out and a partial key was found in key.dat it is possible. There is also the Tesla request directly to the server, along with the keys for decryption.



Another version is available with encrypted file extensions.ecc or.ezz. It is impossible to recover the original decryption key without having the ransomware's private key in the event that the encryption was zeroed out. The encrypted files are not associated with the data file. The encryption key can be downloaded from the Tesla request that is sent to the server.



The original decryption keys for versions with extensions names.ezz or.exx names.ezz or.exx cannot be recovered without the authors private key. If the secret key used to decrypt the data was zeroed out, it won't be possible to retrieve the original key. Encrypted files that have the extension.exx can be joined with data files. The encryption key can also be obtained from the Tesla request to the server.



The version that has encrypted file extensions .ccc, .abc, .aaa, .zzz and .xyz does not use data files and the key to decrypt is not stored on your computer. It is only decrypted if the victim records the key while it was being sent to a server. Decryption key can be retrieved from Tesla request to the server. This is not available for TeslaCrypt versions prior to v2.1.0.



TeslaCrypt 4.0 is now available



The authors have released TeslaCrypt4.0 sometime in March 2016. The latest version addresses an issue that caused affected files larger than 4GB that were corrupted. It also comes with new ransom notes and doesn't require encryption of encrypted files. The absence of an extension makes it hard for users to discover the details of TeslaCryot and what has happened to their files. The ransom notes will be used to create pathways for victims. It is impossible to decrypt files without an extension without a key bought or Tesla's personal key. If the user is able to capture the key while it was being transmitted to a server the files could be decrypted.


My Website: https://lionsroar.name/