History And Evolution Of TeslaCrypt Ransomware Virus
TeslaCrypt is a file-encrypting ransomware program intended for all Windows versions including Windows Vista, Windows XP, Windows 7 and Windows 8. This program was released for the first time towards the end of February 2015. Once it infects your computer, TeslaCrypt will search for data files and encrypt them with AES encryption such that you will no longer be able to open them.
As soon as all the data files on your computer have been infected, an application will be displayed that provides details on how to retrieve your files. There is a link in the instructions that connects you to a TOR Decryption Service site. This site will give you details of the current ransom amount, the number of files that have been encrypted and how you can make payment so that your files are released. The ransom amount usually starts at $500. It is payable through Bitcoins. There is a different Bitcoin address for each victim.
Once TeslaCrypt is installed on your computer, it generates a randomly labeled executable in the %AppData% folder. The executable is launched and begins to scan your computer's drive letters for files to encrypt. When it detects a supported data file, it encrypts it and attaches a new extension to the name of the file. This name is based on the variant that has affected your computer. With the release of new variants of TeslaCrypt, the program uses different file extensions for the encrypted files. Currently, TeslaCrypt uses the following extensions: .ccc, .abc, .aaa, .zzz, .xyz, .exx, .ezz and .ecc. There is a possibility that you could use the TeslaDecoder tool to decrypt your encrypted files free of charge. It, of course, depends on the version of TeslaCrypt that's infected your files.
You should note that TeslaCrypt will scan all of the drive letters on your computer to find files to encrypt. It includes network shares, DropBox mappings, and removable drives. However, it only targets data files on network shares if you have the network share mapped as a drive letter on your computer. If you haven't mapped the network share as a drive letter, the ransomware will not encrypt the files on that network share. Look at me never rat on your friends and always keep your mouth shut Once it is done scanning your computer, it will erase all Shadow Volume Copies. The ransomware does this to prevent you from restoring the affected files. The application title displayed after encryption of your computer indicates the ransomware's version.
How your computer gets infected with TeslaCrypt
TeslaCrypt infects computers when the user visits a hacked website that runs an exploit kit and whose computer has outdated programs. Developers hack websites to distribute this malware. They install a unique software program known as an exploit kit. This kit seeks to take an advantage of vulnerabilities found in your computer's programs. Some of the programs whose vulnerabilities are usually exploited include Windows, Acrobat Reader, Adobe Flash and Java. Once the exploit kit succeeds in exploiting the vulnerabilities on your computer, it automatically installs and launches TeslaCrypt without your knowledge.
You should, therefore, ensure that you Windows and other installed programs are up-to-date. It will protect you from potential vulnerabilities that could lead to infection of your computer with TeslaCrypt.
This ransom ware was the first of its kind to target data files utilized by PC video games actively. It targets game files for games such as MineCraft, Steam, World of Tanks, League of Legends, Half-life 2. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker, and many others. It has, however, not been ascertained whether game targets mean increased revenue for developers of this malware.
Versions of TeslaCrypt and associated file extensions
TeslaCrypt is updated regularly to incorporate new file extensions and encryption techniques. The first version encrypts files with the extension .ecc. The encrypted files, in this case, are not paired with the data files. The TeslaDecoder too can be used to recover the original decryption key. It is possible if the decryption key was zeroed out and partial key found in key.dat. The decryption key can also be found the Tesla request sent to the server.
There is another version with encrypted file extensions of .ecc and .ezz. One cannot recover the original decryption key without the ransomware's authors' private key if the decryption was zeroed out. The encrypted files are also not paired with the data file. Decryption key can be git from the Tesla request sent to the server.
For the version with extension file name .ezz and .exx, the original decryption key cannot be recovered without the authors' private key, if the decryption key was zeroed out. Encrypted files with the extension .exx are paired with data files. Decryption key can also be got from the Tesla request to the server.
The version with encrypted file extensions .ccc, .abc, .aaa, .zzz and .xyz does not use data files and the decryption key is not stored on your computer. It can only be decrypted in the event the victim captured the key as it was being sent to the server. Decryption key can be retrieved from Tesla request to the server. It is not possible to do this for versions after TeslaCrypt v2.1.0.
Release of TeslaCrypt 4.0
Recently, the authors released TeslaCrypt 4.0 sometime in March 2016. A brief analysis shows that the new version corrects a bug that previously corrupted files bigger than 4GB. It also has new ransom notes and does not use an extension for encrypted files. The absence of an extension makes it hard for users to discover about TeslaCryot and what happened to their files. With the new version, victims will have to follow paths developed through the ransom notes. There are little established ways to decrypt files with no extension without a purchased decryption key or Tesla's private key. The files can be decrypted if the victim captured the key as it was being sent to the server during encryption.
