.tedcrypt Files Virus (Jigsaw) - How to Remove and Restore Data

.tedcrypt Files Virus (Jigsaw) – How to Remove and Restore Data

.tedcrypt files virus Jigsaw ransomware variant teddy bear image sensorstechforum

This is an article that provides specific details on an iteration of Jigsaw ransomware dubbed .tedcrypt files virus infection as well as a step-by-step removal followed by alternative data recovery approaches.

A new iteration of Jigsaw ransomware has been detected by malware researchers. It is dubbed .tedcrypt files virus and in case of infection, it encodes valuable files with strong cipher algorithm leaving them inaccessible. Corrupted files could be recognized by the extension .tedcrypt that is appended to their names. Apparently, the ransomware is named after the associated extension. Upon encryption stage, the ransomware drops a file that contains a ransom message left by hackers. It is written in Turkish and mainly aims to blackmail you into paying them the ransom.

Threat Summary

Name.tedcrypt Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that utilizes strond cihper algorithm to encrypt files on stored on the infected computer. Then it demands a ransom for decryption solution.
SymptomsImportant files are locked and renamed with .aurora extension. They remain unusable until a ransom is paid.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .tedcrypt Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .tedcrypt Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.tedcrypt Files Virus – Distribution

A single executable file is enough to trigger an infection with the devastating .tedcrypt files virus. In order to effectively spread this file and trick users into running it on their PCs, hackers may use the help of various shady techniques. One of the most common spread techniques is malspam. This could be explained by the fact that it is a convenient way for hackers to conceal the presence of their malicious code. Email messages that are part of malicious campaigns usually contain file attachments or in-text links. Both elements may be set to trigger the ransomware infection process once opened on the device. In order to make users more prone to download the malicious attachment or visit the corrupted web page hackers can impersonate popular brands, governmental institutions, private services, etc.

For the sake of your security, before you open a dubious file on your PC you could use a free online file extractor to check the security level of the file. Tools of this kind scan the code of each uploaded file for specific malicious traits. After, the scan you could see whether the uploaded file contains malicious elements or not. The information could help you to refrain from opening corrupted files on your PC.

.tedcrypt Files Virus (Jigsaw) – Overview

Once the infection files of .tedcrypt files virus are started оn the computer they initiate a sequence of modifications that grant for its persistent presence on the system. The malicious files may reside is some major system folders including but not limiting to:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Roaming%

The .tedcrypt files virus is likely to be developed to target some specific keys stored by the Registry Editor. These keys may be Run and RunOnce as they have the functionality to manage the automatic execution of all files and objects which are essential for the smooth system performance. Once the ransomware adds its values under these sub-keys it achieves persistence due to the fact that values stored by Run and RunOnce keys indicate which files need to be automatically executed on each system start.

Unlike some initial versions of the ransomware including Jigsaw .CryptWalker, Jigsaw .justice, and Jigsaw .black007, Jigsaw .tedcrypt doesn’t use an image of the killer from the popular movie “Saw” for its ransom note. Instead .tedcrypt crypto virus displays a teddy bear image on the screens of its victims.

.tedcrypt files virus Jigsaw ransomware variant teddy bear image sensorstechforum

In addition, at the final stage of the attack, a ransom message written in Turkish is shown. It reads something like the following:

Ancak Kaygilanmauin, Hala Dosyalarinizi Geri Alma Sansiniz Var
Lutfen Sifrelerin Cozulmesi Icin Asagiadaki Adimalari Gelir
UYARI: Yazilimi Silmek Dosyalarinizi Geri Alma Sansinizin Kalamamasi Anlamina Gelir
Bilgisayari Kapamak, Yeniden Baslatmak, Hard Diske Format Amak
Dosyalari Baska Bir Diske Tasimak veya Uzantisini Degistirmek Dosyalarinizi
Dosyalari Kurtarmak Icin Tek Cozum Odemedir ve Bize By Konuda Guvenebilirsiniz

Such kinds of messages are used by hackers to blackmail victims into paying a predefined ransom in exchange for decryption solution. Currently, the amount of the ransom demanded by threat actors who stand behind .tedcrypt crypto virus infections is not known but we have some good news for you. Security researchers successfully cracked the code of Jigsaw ransomware and released a free decryption tool for some of its variants. Eventually, they could update it and make it efficient for this .tedcrypt variant too. With its help, you may be able to restore your .tedcrypt files. More information about the decrypter and a download link you could find in the guide at the end.

.tedcrypt Files Virus – Encryption Process

The data encryption stage is the main one. For it .tedcrypt crypto virus utilizes a built-in cipher module which is set to transform parts of the original code of target files with the help of AES algorithm. Upon these changes the access to corrupted files remains blocked and all they are marked with the distinctive .tedcrypt extension. Alike previous iterations this Jigsaw variant may be set to locate and encrypt all of the following types of files:

→.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as.txt, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxf.c, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .zip

This means that after an infection with .tedcrypt Jigsaw ransomware you may find all valuable files encrypted by the threat including:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Remove .tedcrypt Files Virus and Restore Data

Below you could find how to remove .tedcrypt files virus step by step. To remove the ransomware manually you need to have a bit of technical experience and ability to recognize traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So as recommended by security researchers you need to utilize an advanced anti-malware tool for its complete removal. Such a tool will keep your system protected against devastating threats like the discussed ransomware and other kinds of malware that endanger your online security.

After you remove the ransomware make sure to check the “Restore Files” step listed in the guide below. But before you take any further actions, don’t forget to back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share