New ransomware virus, imitating what appears to be the company Tesla or Nikola Tesla himself has appeared on deep web sites according to Emsisoft researcher xXToffeeXx. The virus reportedly uses an AES-256 to encrypt the files on the computers infected by it and in addition to this activity appends the .Tesla file extension to the files which have been encrypted by the virus. It also changes the wallpaper to Nikola Tesla and has several defensive features. If you have become a victim of this ransomware virus, do not pay and read this article instead.
|Short Description||Encrypts the files on the computers infected by it and then demands a ransom payoff in BTC (BitCoin).|
|Symptoms||The .Tesla file extension is added to the encrypted files. The virus changes the wallpaper and displays a lockscreen.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by TeslaWare |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss TeslaWare.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
TeslaWare – Distribution Methods
The ransomware may be spread in multiple different ways, the primary of which is the same as with 80% of the ransomware viruses – spam e-mails. The spam messages sent to victims that may carry the infection vectors of TeslaWare may contain it in the form of a malicious e-mail attachment or a web link. Those can be accompanied by convincing statements, like the following example shows:
Besides this method, you can also become infected with TeslaWare ransomware if your computer has multiple other issues on it, more specifically other malware already installed. Other methods of infection include the usage of fake setups, key generators, license activators or other programs which most internet users look to download for free from third-party software sites.
More On TeslaWare Ransomware
Malware researchers have detected TeslaWare to be advertised in the deep web. The virus appears to be well designed and full of features. Or so It seems. Security experts have confirmed that the virus is full of various security holes which could lead to it’s successful cracking, making it decryptable.
After infection, the TeslaWare virus begins to connect to multiple third-party hosts, reported by malware researchers to be with the domains .net, .io and .es. From there, the virus most likely downloads the malicious file, called Windows Drivers.exe which may be located in the %AppData% folder. In addition to this, it makes a registry entry in the Windows sub-key Run which is in the user key:
The registry entry allows the WindowsDrivers.exe file to run automatically on startup and begin encrypting files with AES-256.
The ransomware also displays a lockscreen with the following ransom note:
All of your important files have been encrypted.
To decrypt them you need to obtain the private key from us.
We are the only who can provide you the key,so don’t try to recover the files by yourself,it will only make the situation worse for you.
To get this key you have to send 100$ worth of bitcoins to the address that you can see in the left.For more info please check the links
After payment,please paste the TX ID and press “Check”.If our system detected the payment as succesfull,your files will be decrypted and you will use your pc as nothing happened.
It also features something that is not new for ransomware viruses and has been used as an intimidation tool to pay the ransom – Russian roulette. This feature deletes a random file from your computer for a different timespan.
But the terror does not end there as TeslaWare also warns that it may delete all the important files it encrypts on your system drive after 72 hours.
TeslaWare – Encryption Process
The encryption process of TeslaWare is rather standard AES-256. It is a very stable encryption algorithm which is generally difficult to decrypt. However, malware researchers feel convinced that they may be able to decrypt the files encoded by this virus in time, because they have located numerous security holes in it’s code that may allow exploitation.
Regarding what files TeslaWare encrypts on your computer, the virus targets primarily different important documents, audio files, videos, files that are related with often used software, archives and others. After the encryption, the files cannot be opened and they receive the .Tesla file extension, making them appear like the image below:
Security experts have reported the virus to be able to spread into other computers similar to the worm speading WannaCry, but these malicious functions have not been activated in it’s code.
Remove TeslaWare Virus and Restore .Tesla Encrypted Files
If you want to remove TeslaWare, we recommend that you follow the removal instructions below. They are specifically designed to help you isolate the virus in Safe Mode and then remove it manually. However, since TeslaWare has multiple malicious functions, experts would argue that the best method to remove it is via an advanced ransomware-specific tool. It will scan automatically for all the files related to TeslaWare ransomware and remove them permanently as well as restore the system settings back to normal.
Removing the ransomware is one problem dealt with, however this still leaves the issue with your files. If your computer has been attacked by this virus, do not pay – malware researchers will soon come up with a decryptor. We will post an update when such software is released, so we advise you to follow this blog post regularly. In the meantime, we recommend you to backup your files and try to restore them using alternative tools like the ones we have suggested below in step “2. Restore files encrypted by TeslaWare”.