Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TeslaCrypt 3.0 and Restore .micro Encrypted Files

There is a new version of the TeslaCrypt ransomware. It is dubbed TeslaCrypt 3.0. It is known to encrypt files with the .micro extension or with .ttt and .xxx extensions. The .micro extension variant still uses an RSA encryption algorithm.

Threat Summary

Name TeslaCrypt 3.0
Type Ransomware
Short Description The ransomware searches for files with various extensions and encrypts them. Then, it asks for money to decrypt the files, and describes where to send it in a ransom note.
Symptoms Files get encrypted with a .micro extension. A ransom note appears on the desktop.
Distribution Method Malicious Sites, Spam emails with attachments
Detection Tool See If Your System Has Been Affected by TeslaCrypt 3.0

Download

Malware Removal Tool

User Experience Join our forum to discuss TeslaCrypt with .micro Extension.

shutterstock_152253701

TeslaCrypt .micro Extension Ransomware – Distribution

The TeslaCrypt 3.0 version may be spread by Trojan horses, just like its previous version was spread through the Miuref.B Trojan. That normally happens when you visit suspicious sites and click on links with malicious code without knowing.

An effective distribution method for the ransomware remains spam emails with malicious file attachments. The attachments can be some archives or executable files. There are reports that some of the malicious files may infect computers by running compromised macro commands of Microsoft Office or Adobe programs.

The .micro Extension Ransomware – Details

When activated on your computer, the ransomware creates a randomly named executable file on the User profile in the following location:

→Appdata/Roaming/[random name].exe

After this file is executed, it creates an entry in the Windows Registry. The name of the entry is “meryHmas” and its location is:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas

That enables these files of the ransomware to be read and run with each start of the Windows operating system.

The .micro extension variant may also create more entries in the Windows Registry, as follows:

→HKCU\Software\[random name] HKCU\Software\xxxsys

Then TeslaCrypt 3.0 begins searching files to encrypt and lock them with the .micro extension. The known file formats it scans for are listed right down here, but it may not be a full list.

→sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After successful encryption, the ransomware creates other files on your desktop and links to other locations that contain the ransom note with the payment instructions. The files are named as:

Howto_Restore_FILES.BMP
Howto_Restore_FILES.HTM
Howto_Restore_FILES.TXT

These instructions are nearly identical to another nasty ransomware, called CryptoWall 3.0. Researchers think that this message has been used to simplify and outsource the ransom payment using CryptoWall’s methods or to hide the real identity of the malware.

teslacrypt-3.0-sensorstechforum

This ransom message has instructions on how to use the Tor network to reach the cyber-criminals via an anonymous connection and make the ransom payment. It is strongly advised NOT to pay the ransom money demanded by the TeslaCrypt 3.0 creators since it is no guarantee you will get a decryption key to restore your files. Also, if you pay the ransom, you are funding the cyber-criminals to further sophisticate their work, and they can use the money for many other ill deeds.

The .micro Extension Ransomware – Removal

To fully remove TeslaCrypt 3.0, first have to cut off the ransomware by stopping your internet connection. Then, back up your system files. Afterwards, carefully follow the instructions provided below. If you still see the ransomware being active, you may need to install an advanced anti-malware tool. Such software will keep your system secure in the future.

Manually delete TeslaCrypt 3.0 from your computer

Note! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0 files and objects
2.Find malicious files created by TeslaCrypt 3.0 on your PC
3.Fix registry entries created by TeslaCrypt 3.0 on your PC

Automatically remove TeslaCrypt 3.0 by downloading an advanced anti-malware program

1. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
3. Restore files encrypted by TeslaCrypt 3.0
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • bouchta

    bonsoir

    toujours pas de nouveauté pour decrypter dichier avec extession micro sans passer par le recover data
    merci .

  • Joseph

    Hi,
    did someone know what about micro extensions.

    I lost everthing 🙁

  • said

    notre serveur a ete infecte par le virus TeslaCrypt 3.0 tout nos fichiers en point doc sont transforme en point flv, notre serveur qui englobe une centaines d’ordinateurs,merci de me donner une solution radicale .

    • dotdote

      thanks for instruction about TeslaCrypt.

  • julian anon

    MASTERKEYFORDECRIP 440241DD80FCC5664E86198DB716E08CE627D8D40C7EA360EA855C7EA360AE885C727A49EE

  • Axel Diez

    Please help.

    Hi everyone
    I have a problem with the new variant, all my documents are encrypted with *.cript.

    I probe all kaspersky tolls, but noneone works with this variant.

    Please help me to recover my files.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.