Profile
History And Evolution Of TeslaCrypt Ransomware TeslaCrypt is a file encryption ransomware program that targets all Windows versions including Windows Vista, Windows XP and Windows 7. The program was launched in the first time around the close of February 2015. When it is infected on your computer, TeslaCrypt will search for data files and encrypt them with AES encryption, so that you will no longer be allowed to open them. After all your data files have been infected, a program will be displayed. It will provide details on how to recover them. There is a link within the instructions to connect you to a TOR Decryption Service site. The site will provide information on the current ransom amount and the number of files encrypted, and the method you can use to make payment so that your files are released. The ransom amount typically starts at $500. It can be paid in Bitcoins. Each customer will have a unique Bitcoin address. Once TeslaCrypt is installed on your computer, it creates an executable that is randomly labeled in the %AppData% directory. The executable starts and scans your computer's drive letters to find files to encrypt. It then adds an extension the name of the file, and then it encrypts any data files it locates. This name is derived from the version that is affecting your computer. With the introduction of new versions of TeslaCrypt, the program uses different file extensions for the encrypted files. TeslaCrypt currently utilizes the following extensions for encrypted files:.cccc..abc..aaa..zzz..xyz. You can utilize TeslaDecoder to decrypt encrypted files for no cost. It's dependent on which version of TeslaCrypt is infected. It is important to note that TeslaCrypt will search all drive letters on your computer to locate files to encode. It can scan network shares, DropBox mappings and removable drives. However, it only targets data files on network shares when you have the share mapped as an drive letter on your computer. The ransomware doesn't have the ability to encode files on network shares in the absence of a network share that is mapped as a drive letter. Once don't even mess with me has completed scanning your PC, it will erase all Shadow Volume Copies. This is to prevent you from restoring damaged files. The title of the program displayed after the encryption of your computer indicates the ransomware's version. How TeslaCrypt is able to infect your computer TeslaCrypt is a computer virus that can be infected when the user visits an untrusted website that runs an exploit kit and whose computer has outdated programs. To distribute this malware, hackers hack websites. They install a specific software program dubbed an exploit kit. This tool aims to exploit vulnerabilities found in the programs of your computer. Acrobat Reader and Java are just a few of the programs that have weaknesses. Once the exploit tool has successfully exploited the vulnerabilities on your computer it will automatically install and launch TeslaCrypt. You should, therefore, ensure that you Windows and other installed programs are up-to-date. This will help you avoid potential vulnerabilities that could lead to the infection of your computer by TeslaCrypt. This ransom ware was the first of its kind to target data files that are used by PC video games in a proactive manner. It targets game files from games such as MineCraft, Steam, World of Tanks, League of Legends and Half-life 2. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker and many more. However, it has not been determined if games targeting gamers increase the revenue of the malware creators. Versions of TeslaCrypt, and the associated file extensions TeslaCrypt is regularly updated to include new encryption methods and file extensions. The initial version encrypts files using the extension .ecc. In this scenario, encrypted files aren't coupled with data files. TeslaDecoder can also be used to recover the original encryption key. If the keys used to decrypt were zeroed out and a partial key was found in key.dat it's possible. The decryption key can also be found the Tesla request to the server. There is a second version that has encrypted extension of files like .ecc and .ezz. If the encryption key was not zeroed out, it is impossible to recover the original key. The encrypted files are also not associated with the data file. Decryption keys can be obtained from the Tesla request that is sent to the server. For the version with extension file name .ezz and .exx, the original encryption key can't be recovered without the author's private key when the decryption keys was zeroed out. The encrypted files that have the extension .exx are paired with data files. You can also request a decryption key from the Tesla server. The version that has encrypted file extensions .ccc, .abc, .aaa, .zzz and .xyz does not make use of data files and the decryption key is not stored on your computer. It is only decrypted if the victim records the key while it is being transmitted to an online server. The key to decrypt can be retrieved from Tesla request to the server. This is not possible for TeslaCrypt versions after v2.1.0. Release of TeslaCrypt 4.0 The authors have released TeslaCrypt4.0 sometime in March 2016. A brief analysis shows that the new version corrects a bug that previously corrupted files bigger than 4GB. It also contains new ransom notes, and doesn't require encryption of encrypted files. It is difficult for users to find out about TeslaCryot or what occurred to their files as there is no extension. With the latest version, victims will have to follow the path outlined in the ransom notes. It is impossible to decrypt files without an extension without a purchased key or Tesla's personal key. The files can be decrypted if the victim took the key as it was being sent to the server during encryption.
Forum Role: Participant
Topics Started: 0
Replies Created: 0
