Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TeslaCrypt 3.0 Ransomware and Restore .mp3 Encrypted Files

One of the most vicious malware threats ever to affect users on a global scale – TeslaCrypt ransomware, has appeared yet again with another variant. This time, the crypto-malware uses a .mp3 file extension and possibly employs improvements in its code. Such improvements may make the decryption process even more difficult. Despite the fact that TeslaCrypt demands ransom money to unlock the encrypted files on a victim’s computer, we strongly advise users not to pay. Instead, keep trying with the methods we regularly update in our removal articles to restore files.

UPDATE! A free decryptor has been released for files encoded by TeslaCrypt 3.0 ransomware. To learn how to decrypt your files, please visit the following article.

Threat Summary

NameTeslaCrypt 3.0
TypeRansomware
Short DescriptionThe notorious TeslaCrypt ransomware encrypts user files and requests a payment to retrieve them.
SymptomsThe user may witness his files to have the .mp3 file extension as well as his wallpaper changed and new ransom note type of files(.txt, .html, .png) on his PC.
Distribution MethodVia malicious URLs or attachments and a Trojan.Downloader
Detection Tool See If Your System Has Been Affected by TeslaCrypt 3.0

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss TeslaCrypt .mp3 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

help_recover_instructions-sensorstechforum-tesla

TeslaCrypt 3.0 Ransomware – How Does It Spread

TeslaCrypt is mainly spread via exploit kits and Trojans, such as the Miuref.B Trojan. These can be found attached to an email the victim may have opened as a malicious URL or a spam attachment of an archive file. It may contain either infected document files or malicious URLs that lead to such. The most commonly used malicious files are of the following file extensions:

  • .bat, .cmd, .dll, .tmp, .exe

The spam emails featured may resemble a legitimate service the user has been registered in. Examples may be as follows:

  • “Your payment receipt from PayPal.”
  • “Free gift from eBay.”
  • “Bank Reciept from {Bank Name}.”

TeslaCrypt 3.0 Ransomware In Detail

Unlike other Tesla variants, this one is more sophisticated. This is because, besides using CryptoWall’s ransom note, to resemble another devastating malware, TeslaCrypt supports a significantly larger range with file extensions that it can encrypt.

TeslaCrypt performs the following methodological steps when it infects your computer:

Step 1: Payload Drop

The payload has random characters, and it is located in:

  • %User’sProfile%\Application Data

TeslaCrypt 3.0 then makes a registry entry for the .exe to run every time Windows has started. It is located in the following key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

And it is set with the following data:

  • “addon_v{number}” = “%User’sProfile%\Application Data\{payload .exe}

After this the crypto-malware also makes a registry entry with hexadecimal digits in the following key:

  • HKEY_CURRENT_USER\Software\xxxsys\

Step 2: File Encryption

According to Symantec Threat Response researchers, once its malicious .exe has been started, the crypto-malware then scans for and encrypts files with these extensions:

.7z .rar .m4a .wma .avi .wmv .csv .d3dbsp .sc2save .sie .sum .ibank .t13 .t12 .qdf .gdb .tax .pkpass .bc6 .bc7 .bkp .qic .bkf .sidn .sidd .mddata .itl .itdb .icxs .hvpl .hplg .hkdb .mdbackup .syncdb .gho .cas .svg .map .wmo .itm .sb .fos .mcgame .vdf .ztmp .sis .sid .ncf .menu .layout .dmp .blob .esm .001 .vtf .dazip .fpk .mlx .kf .iwd .vpk .tor .psk .rim .w3x .fsh .ntl .arch00 .lvl .snx .cfr .ff .vpp_pc .lrf .m2 .mcmeta .vfs0 .mpqge .kdb .db0 .DayZProfile .rofl .hkx .bar .upk .das .iwi .litemod .asset .forge .ltx .bsa .apk .re4 .sav .lbf .slm .bik .epk .rgss3a .pak .big .unity3d .wotreplay .xxx .desc .py .m3u .flv .js .css .rb .png .jpeg .txt .p7c .p7b .p12 .pfx .pem .crt .cer .der .x3f .srw .pef .ptx .r3d .rw2 .rwl .raw .raf .orf .nrw .mrwref .mef .erf .kdc .dcr .cr2 .crw .bay .sr2 .srf .arw .3fr .dng .jpe .jpg .cdr .indd .ai .eps .pdf .pdd .psd .dbfv .mdf .wb2 .rtf .wpd .dxg .xf .dwg .pst .accdb .mdb .pptm .pptx .ppt .xlk .xlsb .xlsm .xlsx .xls .wps .docm .docx .doc .odb .odc .odm .odp .ods .odt

TeslaCrypt adds the .mp3 file extension to the files, for example:

  • New Excel Worksheet.docx.mp3

The files appear to be corrupt and upon opening the user may witness that Windows begins to look for a way to open them:

mp3-player-sensorstechforum-files-.mp3-file extension

When the file is checked, it is becoming clear that a very strong mixture of AES-256, SHA256 and ECHD encryption algorithms have been used:

encrypted-file-by-teslacrypt

In addition, the ransomware creates a “__sys_{random numbers}” mutex and then connects to several remote hosts:

  • http://ladiesdehaan(dot)be/modules/mod_cmscore/mzsy
  • http://chonburicoop(dot)net/tmp/mzsy
  • http://ferienwohnung-walchensee-pur(dot)de/tmp/mzsy
  • http://espoirsetvie(dot)com/modules/mod_cmscore/mzsy
  • http://ioasis(dot)org/modules/mod_fxprev/libraries/mzsy
  • http://polyhedrusgroup(dot)com/components/com_acymailing/views/user/tmpl/mzsy

Step 3: Notifying the user:

After finished with the encryption of the data, TeslaCrypt, creates several files:

  • _H_e_l_p_RECOVER_INSTRUCTIONS{ID}.png
  • _H_e_l_p_RECOVER_INSTRUCTIONS{ID}.txt
  • _H_e_l_p_RECOVER_INSTRUCTIONS{ID}.html
  • recover_file_{random_ID}.txt

The _H_e_l_p_RECOVER_INSTRUCTIONS{ID} files all contain the following ransom note:

TeslaCrypt 3.0 Ransom Note

The “recover_file.txt” contains four lines of identification numbers, which represent accordingly the following information:

  • The BitCoin address.
  • The hex code for the public AES key which is 32 bytes in size.
  • ID hex.
  • ID of the used encryption.

Remove TeslaCrypt 3.0 and Restore .mp3 Encrypted Files

The bottom line is that the latest variant of Tesla has definitely improved and may have patched up several holes and weaknesses in its code, leaving the user without any way out but to decrypt his files.

However, experts strongly advise NOT to pay any ransom money for the following reasons:

  • You fund the cybercrime organization and it makes the ransomware even more impenetrable.
  • There is no guarantee that your files will be decrypted after you pay the ransom money.

It is strongly recommended to immediately remove this malware by using the methods outlined after this article. In them we have also included instructions on how to use different software to recover your files.

Manually delete TeslaCrypt 3.0 from your computer

Note! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0 files and objects
2.Find malicious files created by TeslaCrypt 3.0 on your PC
3.Fix registry entries created by TeslaCrypt 3.0 on your PC

Automatically remove TeslaCrypt 3.0 by downloading an advanced anti-malware program

1. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
3. Restore files encrypted by TeslaCrypt 3.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

  • Michael

    I get error:3 when try installing on windows server 2008 R2. Can you help?

    Thanks

  • vishal patel

    Hi sir,

    my all files of word and excel encrypted into mp3. How can i decrypt it please. can you help me please. i m in big problem

  • Paul

    our office has been infect last 25 Feb, all are accounting computers and all documents has been infected. can somebody kill these people.

  • vivek

    My computer is also infected all the word excel, PDF ,jpg files are encrypted in to mp3. Let me know if find any help

  • ipsit jena

    Mycomputer is also infected all the word excel, PDF ,jpg files are encrypted in to mp3. Plz help sir

  • John O

    I’ve tried my best with recovery software. It’s very difficult since I can’t see the preview. Why can’t someone jut find these people and arrest them?

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.