A new variant of the nefarious TeslaCrypt ransomware is circling the Web. This time, the malicious threat is encrypting files in a .vvv file format. Once it affects your system, it will create thousands of files inside multiple folders, along with “how_recover+abc” files to which a ransom note is attached.
|Type||Ransomware, Ransomware Trojan|
|Short Description||Encrypts the user’s files. No decryption key is stored on the computer.|
|Symptoms||Encrypts files with a .vvv extension, creates decrypt.exe, decrypt.html, and decrypt.txt files in almost every folder. Drops a new ransom note in how_recover+abc.html and how_recover+abc.txt files.|
|Distribution Method||Email Attachments, Spam Emails, Suspicious Sites|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt|
|User Experience||Join our forum to discuss the TeslaCrypt Ransomware.|
TeslaCrypt Ransomware – How Did I Get It?
Ransomware such as TeslaCrypt could enter your system in a number of ways.
The most common distribution method known is through malicious email attachments and spam emails. There are even cases, where the email body itself contains a malicious code and upon opening the email, the user infects his computer with it, even if he doesn’t open the attachment inside.
Social networks and file sharing services may also contain the TeslaCrypt ransomware, disguised as a regular file. Keep in mind that TeslaCrypt may hide in dubious websites as well. Once you visit such a website, you risk infecting your system with TeslaCrypt without you even knowing it.
TeslaCrypt Ransomware – Description
Once executed, the latest TeslaCrypt ransomware will search for files with more than 150 extensions, and more specifically the following ones:
→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
After TeslaCrypt threat finds files with these extensions, it will encrypt them with the extension “.vvv”. This variant does not use data files like the previous one, nor does it store information about the decryption key on the compromised computer.
So, decryption is possible, by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. Another way to get your files back is to restore them if you have backups on an external storage device. Other potential ways for decryption are included in the instructions at the end of the article.
In the ransom note it is described how you can pay the ransom with different currencies like, BitCoins, Ukash, and PayPal My Cash Cards. At the end of the note, there is an upload form, where you can test if the decryption will work:
We advise you not to pay the ransom, as there is no guarantee you will get a decryption key, let alone a working one. The ransomware can create thousands of files with the names: decrypt.exe, decrypt.html, and decrypt.txt, along with the ransom note files, how_recover+abc.txt and how_recover+abc.html.
Remove TeslaCrypt Ransomware Completely
To completely remove TeslaCrypt from your computer, you should have basic knowledge in removing viruses. We highly recommend you to back up your system files first. Afterwards, carefully follow the instructions provided here: