History And Evolution Of TeslaCrypt Ransomware

From Camera Database
Jump to: navigation, search

TeslaCrypt is a ransomware program that encrypts files. program that is designed for all Windows versions including Windows Vista, Windows XP, Windows 7 and Windows 8. This ransomware application was first introduced towards the end of February 2015. TeslaCrypt can infect your computer and searches for data files to encode.



Once all data files on your computer have been infected, an application will be displayed that gives information on how to recover your files. The instructions will include the link to a TOR encryption service site. The site will provide you with information about the current ransom amount, how many files are encrypted, and how to pay so that your files can be released. The ransom usually starts at $500. It is payable in Bitcoins. Each victim will have a unique Bitcoin address.



Once TeslaCrypt is installed on your computer, it will create an executable with a random label in the %AppData% directory. The executable is launched and starts to scan your drive letters on your computer for files that need to be encrypted. When it discovers a supported data file the file is encrypted and attaches a new extension to the file's name. The name is determined by the version of the program that has affected your system. With the introduction of new versions of TeslaCrypt, the program uses different file extensions for the encrypted files. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. You could utilize TeslaDecoder to decrypt encrypted files for no cost. It is dependent on the version of TeslaCrypt is affected.



You should note that TeslaCrypt will look through all drive letters on your computer to identify files to secure. Screamyguy's Blog It can be used to encrypt network shares, DropBox mappings, and removable drives. However, it is only able to target data files on network shares in the event that you have the network share assigned as an drive letter on your computer. If you haven't yet mapped the network share as a drive letter the ransomware won't encrypt the files on that network share. Once it is done scanning your PC, it will erase all Shadow Volume Copies. This is to prevent you from restoring damaged files. The version of the ransomware is indicated by the application title that appears after encryption.



How does your computer get infected by TeslaCrypt



TeslaCrypt is a computer virus that can be infected when a user browses an unhacked website running an exploit kit and whose system has outdated programs. To distribute this malware hackers hack websites. They install a specific software program, referred to as an exploit kit. This kit seeks to take an advantage of vulnerabilities in the programs of your computer. Acrobat Reader and Java are just a few of the programs that have weaknesses. When the exploit kit is successful in exploiting the weaknesses on your computer, it then installs and launches TeslaCrypt without your knowledge.



You should, therefore, ensure that you Windows and other programs installed are up-to-date. It protects you from possible vulnerabilities that could lead to the infection of your computer by TeslaCrypt.



This ransomware was the very first to actively attack data files used by PC video games. It targets game files for games like MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the games it targets. However, it hasn't been determined if games targeting gamers increase the revenue of the malware creators.



Versions of TeslaCrypt, and the associated file extensions



TeslaCrypt is frequently updated to incorporate new file extensions and encryption methods. The first version encrypts files which include the extension.ecc. The encrypted files, in this instance are not associated with the data files. TeslaDecoder can also be used to retrieve the original decryption key. If the decryption keys were zeroed out, and an incomplete key was discovered in key.dat, it is possible. It is also possible to find the Tesla request that was sent directly to the server, along with the keys for decryption.



There is another version with encrypted file extensions of .ecc and .ezz. One cannot recover the original decryption key without the ransomware's authors' private key if the decryption was zeroed out. The encrypted files are not paired with the data files. Decryption key can be git from the Tesla request sent to the server.



For the version with extension file names .ezz and .exx, the original decryption key is not recovered without the authors' private key when the decryption keys was zeroed out. Files encrypted with the extension .exx are paired with data files. You can also request a key for decryption from the Tesla server.



Versions with encrypted file extensions.ccc.,.abc..aaa..zzz, and.xyz do not utilize data files. The key for decryption cannot be stored on your computer. It can only be decrypted if the victim captures the key as it is being transmitted to a server. The encryption key can be obtained from Tesla request to the server. It is not possible to do this with versions prior to TeslaCrypt v2.1.0.



The release of TeslaCrypt 4.0



The authors released TeslaCrypt4.0 sometime in March 2016. A brief analysis shows that the new version corrects a bug that previously corrupted files bigger than 4GB. It also comes with new ransom notes, and does not require encryption of files. The absence of an extension makes it difficult for users to learn about TeslaCryot and what changed to their files. With the latest version, victims will have to follow the path outlined in the ransom notes. It is not possible to decrypt files without an extension without a key purchased or Tesla's personal key. The files can be decrypted if the victim took the key as it was being sent to the server during encryption.