TeslaCrypt Ransomware

TeslaCrypt 3.0 stopped by SuperShield

There are now three versions of TeslaCrypt that have circulated: 1.0, 2.0, and 3.0. The latest, TeslaCrypt 3.0, was first discovered in January 2016.

We’ve recently come across several TeslaCrypt files trying to execute on our users’ machines and blocked them. Before downloading and executing the file in a virtual machine, I was suspicious of the file as soon as I noticed that it had jumbled letters for a vendor and product name. I’ve put together a short video (about 3 minutes long) showing what this file would have done to your computer if it was not blocked by SuperShield. We received this file (TeslaCrypt 3.0) from a user’s computer on February 8, 2016.

Some notes about the video:

  • You can see when I first attempt to run the file SuperShield blocks it. I then turn off SuperShield and run it again.
  • I’ve set up some fake “Valuable Documents” to simulate files on your computer, each containing just a few sentences.
  • The middle of the video has been sped up as it takes about a minute for the action to begin.
  • After the file was executed, you can see that there was a spike in CPU usage, and then it automatically closes Task Manager so I can’t access it.
  • Several versions of recovery instructions pop up, and the “Valuable Documents” have been encrypted. When I change the extension and open them, the entire document is gibberish.

Versions 1.0 and 2.0 can sometimes be decrypted using a tool developed by BloodDolly called TeslaDecoder. (Download)

The tool will try to locate the decryption key on your machine. If the key has been removed from your machine it will not be able to decrypt the files. The developer states in the change log, “Currently I don’t know how to recover one of the private keys…” referring to TeslaCrypt 3.0. It may have success finding this key in the older versions of TeslaCrypt, but in version 3.0 it currently is not able to recover the key from your machine.

When I tried to use the tool to decrypt the “Valuable Documents” you see in the video, it was unsuccessful.

It is best to have recent backups of your data that you can restore.

(Visited 63 times, 1 visits today)

4 thoughts on “TeslaCrypt Ransomware

  1. I had to have my PC redone – a new hard drive and Ram upgrade from 2 to 4 Gig for Win10. But I lost some of my programs & need to redownload PC Matic. Can you help me?

  2. My bank acct shows a pc matic charge; but your notice states that I have not purchased the program. Please have a live person contact me by phone at 813-935-4720 to resolve this problem. I chose PC Matic because I believed it to be the best protection available but am disappointed that there is no live contact thru which to address specific problems. Please let me hear from you.

Leave a Reply

Your email address will not be published. Required fields are marked *