The logical array of predecessors and successors in the ransomware environment is exemplified by viruses like CryptoLocker and TeslaCrypt. The latter is believed to originate from the same cybercriminal syndicate and appears to be the most recent variant of file encrypting software representing this category. One of the pieces of evidence proving this relation is the program’s shortcut, which currently says “CryptoLocker” even though this sample has been reportedly taken down. There are several features, however, that make a substantial difference.
First off, TeslaCrypt is targeting computer files associated with online video games for the moment. It scans the compromised PC for the respective file extensions and then encrypts the user’s data corresponding to Steam activation keys and saved games. This workflow ultimately makes days or even weeks of painstaking gaming go down the drain, affecting information on World of Warcraft, Minecraft, Skyrim, Call of Duty, to list just a few. For the average fan player out there, this can be a sucker punch below the belt. Nonetheless, it’s likely that the ransomware under analysis will expand its damage surface by also targeting other personal files on the infected computer.
The majority of user reports submitted up until now point to the drive-by contamination trend, where TeslaCrypt would infect systems via a Flash exploit which automatically triggers a browser redirect to a site hosting the core exploit kit known as Angler. Since it’s gamers who are primarily being targeted at this stage of the ransomware campaign, the exploit is live on compromised web pages that are popular with this user community cluster. All in all, the attack itself is barely perceptible and hard to avoid.
The next thing that happens after the intrusion is a few system-level changes taking place, including the blocking of Task Manager, Regedit tool, msconfig and cmd.exe. This prevents the victim from adopting the commonplace troubleshooting activity. Also, a number of files are added to the Application Data directory, including key.dat and log.html. The virus then scans the hard drive for particular file types and, once spotted, encrypts them with AES-256 algorithm. This is interesting because the wallpaper, which gets changed to the image shown on the screenshot above, says RSA-2048 is used. This isn’t true, just for the record. The alert (or HELP_RESTORE_FILES_aeeuc.txt file) goes on to say you have 4 days (96 hours) to pay the ransom so that the files can be decrypted. The amount is 1.5 BTC, or approximately 400 USD.
All ransom payments are processed via a Tor website, with every infected user being assigned a unique Bitcoin address. Other payment channels include Ukash and PaySafeCard, but the amount to submit tends to vary across different systems. One of the hurdles for recovering encrypted files beyond paying the ransom is that TeslaCrypt tries to delete all Shadow Volume Copies it finds on the machine, which means that using Windows Previous Versions feature could be problematic.
The best actionable advice in terms of preventing this ransomware attack is to install the latest software updates once they are rolled out, especially Windows patches and ones for Adobe products. If infected, users should get rid of TeslaCrypt virus proper and try a few file recovery options – potentially efficient techniques are described below in a step-by-step form.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that TeslaCrypt applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that TeslaCrypt erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by TeslaCrypt is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the TeslaCrypt virus left, have your computer scanned with a reliable malware security suite.