Threat Descriptons



Category :


Type :


Aliases :

Trojan-downloader:JS/teslacrypt.[variant] , Trojan.TeslaCrypt.[variant], TeslaCrypt.[variant], Js.teslacrypt.gen.[variant]


Trojan.TeslaCrypt is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.


F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically remove the file.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Users typically encounter TeslaCrypt ransomware by being exposed to an exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one). If the kit successfully exploits the user's machine, it will download the ransomware.


Once it is run, the TeslaCrypt ransomware will search for and encrypt files saved on any accessible drives on the user's machine. The type of files targeted will depend on the specific malware variant.

Older TeslaCrypt variants search for and encrypt data files related to popular computer games. Newer variants are less restricted and will encrypt documents, images and many other file types.

Older TeslaCrypt variants encrypted the targeted files using a weaker encryption algorithm that can be broken; multiple parties have created decryption tools to do so (for more information, see ZDNet: TeslaCrypt flaw opens the door to free file decryption) .

Newer variants no longer have the flaw that allows the decryption tools to work, making it almost impossible to recover the affected files without the decryption key.

Once the files are encrypted, a text file containing the ransom demand is saved on the system. In some variants, the desktop background is also changed to display the demand. The file will provide instructions on how to pay the ransom demanded.

More Support


Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.