This is an article that provides specific details on an iteration of Jigsaw ransomware dubbed .tedcrypt files virus infection as well as a step-by-step removal followed by alternative data recovery approaches.
A new iteration of Jigsaw ransomware has been detected by malware researchers. It is dubbed .tedcrypt files virus and in case of infection, it encodes valuable files with strong cipher algorithm leaving them inaccessible. Corrupted files could be recognized by the extension .tedcrypt that is appended to their names. Apparently, the ransomware is named after the associated extension. Upon encryption stage, the ransomware drops a file that contains a ransom message left by hackers. It is written in Turkish and mainly aims to blackmail you into paying them the ransom.
|Name||.tedcrypt Files Virus|
|Short Description||A data locker ransomware that utilizes strond cihper algorithm to encrypt files on stored on the infected computer. Then it demands a ransom for decryption solution.|
|Symptoms||Important files are locked and renamed with .aurora extension. They remain unusable until a ransom is paid.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by .tedcrypt Files Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .tedcrypt Files Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.tedcrypt Files Virus – Distribution
A single executable file is enough to trigger an infection with the devastating .tedcrypt files virus. In order to effectively spread this file and trick users into running it on their PCs, hackers may use the help of various shady techniques. One of the most common spread techniques is malspam. This could be explained by the fact that it is a convenient way for hackers to conceal the presence of their malicious code. Email messages that are part of malicious campaigns usually contain file attachments or in-text links. Both elements may be set to trigger the ransomware infection process once opened on the device. In order to make users more prone to download the malicious attachment or visit the corrupted web page hackers can impersonate popular brands, governmental institutions, private services, etc.
For the sake of your security, before you open a dubious file on your PC you could use a free online file extractor to check the security level of the file. Tools of this kind scan the code of each uploaded file for specific malicious traits. After, the scan you could see whether the uploaded file contains malicious elements or not. The information could help you to refrain from opening corrupted files on your PC.
.tedcrypt Files Virus (Jigsaw) – Overview
Once the infection files of .tedcrypt files virus are started оn the computer they initiate a sequence of modifications that grant for its persistent presence on the system. The malicious files may reside is some major system folders including but not limiting to:
The .tedcrypt files virus is likely to be developed to target some specific keys stored by the Registry Editor. These keys may be Run and RunOnce as they have the functionality to manage the automatic execution of all files and objects which are essential for the smooth system performance. Once the ransomware adds its values under these sub-keys it achieves persistence due to the fact that values stored by Run and RunOnce keys indicate which files need to be automatically executed on each system start.
Unlike some initial versions of the ransomware including Jigsaw .CryptWalker, Jigsaw .justice, and Jigsaw .black007, Jigsaw .tedcrypt doesn’t use an image of the killer from the popular movie “Saw” for its ransom note. Instead .tedcrypt crypto virus displays a teddy bear image on the screens of its victims.
In addition, at the final stage of the attack, a ransom message written in Turkish is shown. It reads something like the following:
OOPS, TUM ONEMLI DOSYALARINIZ TedCrypt0r TARAFINDAN SIFRELENDI !!!
Ancak Kaygilanmauin, Hala Dosyalarinizi Geri Alma Sansiniz Var
Lutfen Sifrelerin Cozulmesi Icin Asagiadaki Adimalari Gelir
UYARI: Yazilimi Silmek Dosyalarinizi Geri Alma Sansinizin Kalamamasi Anlamina Gelir
Bilgisayari Kapamak, Yeniden Baslatmak, Hard Diske Format Amak
Dosyalari Baska Bir Diske Tasimak veya Uzantisini Degistirmek Dosyalarinizi
Dosyalari Kurtarmak Icin Tek Cozum Odemedir ve Bize By Konuda Guvenebilirsiniz
ANCAK FAZLA VAKTINIZ YOK, 24 SAAT ICINDE BU ISLEMLERI YAPMADIGINIZ TAKDIRDE TUM BILGISAYARINIZ
KALICI OLARAK SILINECEKTIR !
Such kinds of messages are used by hackers to blackmail victims into paying a predefined ransom in exchange for decryption solution. Currently, the amount of the ransom demanded by threat actors who stand behind .tedcrypt crypto virus infections is not known but we have some good news for you. Security researchers successfully cracked the code of Jigsaw ransomware and released a free decryption tool for some of its variants. Eventually, they could update it and make it efficient for this .tedcrypt variant too. With its help, you may be able to restore your .tedcrypt files. More information about the decrypter and a download link you could find in the guide at the end.
.tedcrypt Files Virus – Encryption Process
The data encryption stage is the main one. For it .tedcrypt crypto virus utilizes a built-in cipher module which is set to transform parts of the original code of target files with the help of AES algorithm. Upon these changes the access to corrupted files remains blocked and all they are marked with the distinctive .tedcrypt extension. Alike previous iterations this Jigsaw variant may be set to locate and encrypt all of the following types of files:
→.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as.txt, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxf.c, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip
This means that after an infection with .tedcrypt Jigsaw ransomware you may find all valuable files encrypted by the threat including:
- Audio files
- Video files
- Document files
- Image files
- Backup files
- Banking credentials, etc
Remove .tedcrypt Files Virus and Restore Data
Below you could find how to remove .tedcrypt files virus step by step. To remove the ransomware manually you need to have a bit of technical experience and ability to recognize traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such a tool will keep your system protected against devastating threats like the discussed ransomware and other kinds of malware that endanger your online security.
After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.