Home > Threat descriptions >



Category: Malware

Type: Trojan

Aliases: Trojan-downloader:JS/teslacrypt.[variant] , Trojan.TeslaCrypt.[variant], TeslaCrypt.[variant], Js.teslacrypt.gen.[variant]


Trojan.TeslaCrypt is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.


Automatic action

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting or renaming it.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Users typically encounter TeslaCrypt ransomware by being exposed to an exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one). If the kit successfully exploits the user's machine, it will download the ransomware.


Once it is run, the TeslaCrypt ransomware will search for and encrypt files saved on any accessible drives on the user's machine. The type of files targeted will depend on the specific malware variant.

Older TeslaCrypt variants search for and encrypt data files related to popular computer games. Newer variants are less restricted and will encrypt documents, images and many other file types.

Older TeslaCrypt variants encrypted the targeted files using a weaker encryption algorithm that can be broken; multiple parties have created decryption tools to do so (for more information, see ZDNet: TeslaCrypt flaw opens the door to free file decryption) .

Newer variants no longer have the flaw that allows the decryption tools to work, making it almost impossible to recover the affected files without the decryption key.

Once the files are encrypted, a text file containing the ransom demand is saved on the system. In some variants, the desktop background is also changed to display the demand. The file will provide instructions on how to pay the ransom demanded.