The History And Development Of TeslaCrypt Ransomware Virus

From Bot's DB
Jump to: navigation, search

TeslaCrypt is a ransomware that encrypts files. It is a program that is designed for all Windows versions including Windows Vista, Windows XP, Windows 7 and Windows 8. The program was released for the first time at the close of February 2015. TeslaCrypt is a virus that infects your computer and looks for encrypted data files.



As soon as all the data files on your computer are infected, a program will be displayed that provides details on how to retrieve your files. The instructions will include a link that connects to a TOR decryption service site. This site will give you details of the current ransom amount and the number of files that have been encrypted and how you can pay to ensure that your files can be released. The average ransom is at $500. It is paid in Bitcoins. Here We Go Again There is a different Bitcoin address for each victim.



Once TeslaCrypt is installed on your computer, it creates an executable that is randomly labeled in the %AppData% directory. The executable launches and scans your computer's drive letters to find files that can be encrypted. When it discovers a supported data file it encrypts it and then adds a new extension to the name of the file. The name is determined by the version of the program that has affected your system. With the introduction of new versions of TeslaCrypt, the program uses different file extensions for encrypted files. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. You can make use of TeslaDecoder to decrypt encrypted files for no cost. It is dependent on the version of TeslaCrypt is infected.



TeslaCrypt examines every drive letter on your computer to find files to encrypt. It can scan network shares, DropBox mappings and removable drives. It only targets network share data files when the network share is marked as a drive letter on your computer. If you haven't yet mapped the network share as a drive letter, the ransomware will not encrypt the files on that network share. After scanning your computer, the ransomware will delete all Shadow Volume Copies. The ransomware will do this to stop you from restoring affected files. The title of the program displayed after encryption of your PC indicates the ransomware's version.



How does your computer get infected by TeslaCrypt



TeslaCrypt infects computers if the user visits a hacked website that is equipped with an exploit kit as well as outdated programs. Hackers hack websites to distribute the malware. They install a unique software program dubbed an exploit kit. This kit seeks to exploit vulnerabilities found in the programs of your computer. Some of the programs that have vulnerabilities are typically exploited are Windows, Acrobat Reader, Adobe Flash and Java. After the exploit kit has successfully exploited the vulnerabilities in your computer it automatically installs and starts TeslaCrypt.



You should, therefore, ensure that you Windows and other installed programs are up-to-date. It protects you from possible security issues that could lead to infection of your computer with TeslaCrypt.



The ransomware was the first to actively attack data files that are utilized by PC video games. It targets game files for games like MineCraft, Steam, World of Tanks, League of Legends Half-life 2. Diablo, Fallout 3 Skyrim, Dragon Age Dragon Age, Call of Duty and RPG Maker are just a few of the many games it targets. However, it has not been established whether game targets mean increased revenue for developers of this malware.



Versions of TeslaCrypt and the associated file extensions



TeslaCrypt is regularly updated to incorporate new file extensions and encryption methods. The first version encrypts files with the extension .ecc. The encrypted files, in this case are not linked to the data files. The TeslaDecoder too can be used to recover the original decryption key. It is possible to do this if the key used to decrypt was zeroed out, and a partial key was found in key.dat. The decryption key could be located in the Tesla request that was sent to the server.



There is a second version that has encrypted extensions for files of .ecc and .ezz. If the decryption key was not zeroed out, it is impossible to find the original key. The encrypted files are not associated with the data file. The Tesla request can be sent to the server with the encryption key.



For the versions with an extension file names .ezz and .exx The original decryption key cannot be recovered without the author's private key when the decryption keys was zeroed out. The encrypted files that have the extension .exx are linked to data files. Decryption keys can also be obtained from the Tesla request to the server.



Versions with encrypted file extensions.ccc.,.abc..aaa..zzz, and.xyz do not make use of data files. The key for decryption cannot be stored on your computer. It is only decrypted if the victim records the key while it is being transmitted to the server. You can get the encryption key by calling Tesla. This is not possible for TeslaCrypt versions before v2.1.0.



Release of TeslaCrypt 4.0



The authors recently released TeslaCrypt4.0 sometime in March 2016. A quick review indicates that the latest version fixes a glitch that corrupted files earlier than 4GB. It also includes new ransom notes and doesn't require encryption of files. The absence of an extension makes it hard for users to find out the details of TeslaCryot and what changed to their files. The ransom notes can be used to establish paths for victims. It is impossible to decrypt files with no extension without a purchased key or Tesla's personal key. The files can be decrypted if the victim has captured the key while it was being sent to the server during encryption.

Retrieved from "https://botdb.win/index.php?title=The_History_And_Development_Of_TeslaCrypt_Ransomware_Virus&oldid=2511937"