TeslaCrypt

One example of the TeslaCrypt variant.

Image Source: Kaspersky Lab

TeslaCrypt targets all versions of the Windows OS and spreads via exploit kits such as Angler, Sweet Orange, or Nuclear. In addition to scanning all system drives for files to encrypt, including removable drives, network shares, and DropBox mappings, TeslaCrypt attempts to delete all Shadow Volume Copies and system restore points to prevent file recovery. TeslaCrypt is also able to detect if it is running in a virtual environment before fully executing in order to prevent analysis by security and law enforcement. Files encrypted by TeslaCrypt currently display the following extensions: .aaa, .abc, .ccc, .ecc, .exx, .micro, .mp3, .ttt, .vvv, .xxx, .xyz, .zzz. In addition to Bitcoin, ransom payment is accepted via PayPal My Cash, according to a post on Bleeping Computer. There are multiple variants of TeslaCrypt currently in circulation.The most recent version is TeslaCrypt 4.1A which targets new file extensions and uses very sophisticated anti-analysis and evasion techniques, according to Endgame, Inc.

UPDATE 5/18/2016: The developers of TeslaCrypt have ended this ransomware campaign and released the master decryption key.

  • The Talos Group from Cisco offers a tool called TeslaDecrypt to decrypt files encrypted by some versions of TeslaCrypt. The Windows binary version can be found here and a Python script is available for download here.
     
  • Another decryption tool called TeslaDecoder from BleepingComputer.com can be found here.
     
  • Bitdefender Labs has created a free TeslaCrypt infection prevention tool, or “vaccine,” available here.
     
  • Talos provides more information about TeslaCrypt, found here.
     
  • Additional free tools specific to the removal of TeslaCrypt 3.0 can be downloaded here.
     
  • ESET provides a free decryption tool for TeslaCrypt 3.0 and 4.0 here. Information on how to use the tool can be found here.