TeslaCrypt 3.0 stopped by SuperShield
There are now three versions of TeslaCrypt that have circulated: 1.0, 2.0, and 3.0. The latest, TeslaCrypt 3.0, was first discovered in January 2016.
We’ve recently come across several TeslaCrypt files trying to execute on our users’ machines and blocked them. Before downloading and executing the file in a virtual machine, I was suspicious of the file as soon as I noticed that it had jumbled letters for a vendor and product name. I’ve put together a short video (about 3 minutes long) showing what this file would have done to your computer if it was not blocked by SuperShield. We received this file (TeslaCrypt 3.0) from a user’s computer on February 8, 2016.
Some notes about the video:
- You can see when I first attempt to run the file SuperShield blocks it. I then turn off SuperShield and run it again.
- I’ve set up some fake “Valuable Documents” to simulate files on your computer, each containing just a few sentences.
- The middle of the video has been sped up as it takes about a minute for the action to begin.
- After the file was executed, you can see that there was a spike in CPU usage, and then it automatically closes Task Manager so I can’t access it.
- Several versions of recovery instructions pop up, and the “Valuable Documents” have been encrypted. When I change the extension and open them, the entire document is gibberish.
Versions 1.0 and 2.0 can sometimes be decrypted using a tool developed by BloodDolly called TeslaDecoder. (Download)
The tool will try to locate the decryption key on your machine. If the key has been removed from your machine it will not be able to decrypt the files. The developer states in the change log, “Currently I don’t know how to recover one of the private keys…” referring to TeslaCrypt 3.0. It may have success finding this key in the older versions of TeslaCrypt, but in version 3.0 it currently is not able to recover the key from your machine.
When I tried to use the tool to decrypt the “Valuable Documents” you see in the video, it was unsuccessful.
It is best to have recent backups of your data that you can restore.