Registered: 4 months, 3 weeks ago
History And Development Of TeslaCrypt Ransomware TeslaCrypt is a ransomware program that encrypts files that targets all Windows versions, including Windows Vista, Windows XP and Windows 7. This ransomware application was first released towards the end February 2015. When it is infected on your PC, TeslaCrypt will search for data files and then encrypt them with AES encryption, so that you won't be capable of opening them. As soon as all the files that contain data on your computer have been infected, an application will be displayed that gives information on how to recover your files. There is a link in the instructions that connects you to a TOR Decryption Service site. The site will provide details of the current ransom amount and the number of files that have been encrypted, and the method you can use to make payment so that your files can be released. The ransom amount typically starts at $500. It is possible to pay it in Bitcoins. There is a different Bitcoin address for each victim. Once TeslaCrypt is installed on your computer, it generates a randomly labeled executable in the %AppData% directory. The executable starts and scans your computer's drive letters for files to encrypt. It attaches an extension to the file's name and encrypts any supported data files it finds. This name is based on the variant that has affected your computer. With the introduction of new versions of TeslaCrypt the program is using different file extensions for encrypted files. TeslaCrypt currently employs the following extensions to encrypted files:.cccc..abc..aaa..zzz..xyz. You can utilize TeslaDecoder to decrypt encrypted files for no cost. It is dependent on the version of TeslaCrypt is infected. TeslaCrypt examines every drive letter on your computer in order to find files that need to be encrypted. Persiancat's Blog It includes network shares, DropBox mappings, and removable drives. It only targets network share data files if the network share is marked as a drive letter on your computer. The ransomware will not encode files on network shares if you don't have the network share marked as drive letter. After scanning your computer, the ransomware will delete all Shadow Volume Copies. This is done to prevent you from restoring damaged files. The title of the application displayed after the encryption of your computer shows the version of the ransomware. How does your computer get infected with TeslaCrypt TeslaCrypt can infect computers when the user visits a hacked website that is equipped with an exploit kit as well as outdated software. Hackers hack websites to distribute this malware. They install a unique software program, referred to as an exploit kit. This tool exploits weaknesses in your computer's programs. Acrobat Reader and Java are only a few of the programs that have weaknesses. Once the exploit kit succeeds in exploiting vulnerabilities on your computer, it will automatically installs and launches TeslaCrypt without your knowledge. Therefore, you should make sure that your Windows and other programs installed are up-to-date. It protects your computer from potential vulnerabilities that could cause infection with TeslaCrypt. This ransom ware was the first to target data files that are used by PC video games. It targets game files of games like Steam, World of Tanks and League of Legends. Diablo, Fallout 3, Skyrim, Dragon Age, Call of Duty, RPG Maker, and many others. However, it has not been established whether games targets will result in increased profits for the developers of this malware. Versions of TeslaCrypt, and the associated file extensions TeslaCrypt is constantly updated to include new encryption methods and file extensions. The initial version encrypts files using the extension .ecc. In this case encrypted files aren't coupled with data files. TeslaDecoder can also be used to recover the original decryption key. It is possible to do this if the key used to decrypt was zeroed out and a partial key found in key.dat. The decryption key could be located in the Tesla request sent to the server. Another version is available with encrypted file extensions.ecc or.ezz. If the encryption key was not zeroed out, one is unable to retrieve the original key. The encrypted files cannot be paired with the data files. The encryption key can be downloaded from the Tesla request that is sent to the server. The original decryption keys for the versions with extensions file names.ezz or.exx cannot be recovered without the authors private key. If the decryption secret key was zeroed out, it won't be possible to retrieve the keys used to decrypt. Files encrypted with the extension .exx are linked to data files. The encryption key can also be obtained via the Tesla request to the server. Versions that use encrypted files with extensions.ccc.,.abc..aaa..zzz, and.xyz do not utilize data files. The decryption key cannot be saved on your computer. It can only be decrypted if the victim captures the key while it is being transmitted to a server. You can retrieve the decryption key by contact Tesla. This is not possible for TeslaCrypt versions prior to v2.1.0. TeslaCrypt 4.0 is now available The authors recently released TeslaCrypt4.0 sometime in March 2016. The new version has been updated to fix an issue that caused corrupted files larger than 4GB. It also includes new ransom notes and doesn't require encryption files to be encrypted. The absence of an extension makes it difficult for users to find out the details of TeslaCryot and what changed to their files. With the latest version, victims will have to follow the path outlined in the ransom notes. There are little established ways to decrypt files that have no extension without a purchased decryption keys or Tesla's private key. If the attacker is able to capture the key while it was being sent to an online server and the files are decrypted.
Topics Started: 0
Replies Created: 0
Forum Role: Participant