Trojan.TeslaCrypt

Threat description

Details

CATEGORYMalware
TYPETrojan

Summary

Trojan.TeslaCrypt is ransomware that encrypts files saved on the machine and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected files.

Removal

Automatic action

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key.

In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

Technical Details

Users typically encounter TeslaCrypt ransomware by being exposed to an exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one). If the kit successfully exploits the user's machine, it will download the ransomware.

Encryption

Once it is run, the TeslaCrypt ransomware will search for and encrypt files saved on any accessible drives on the user's machine. The type of files targeted will depend on the specific malware variant.

Older TeslaCrypt variants search for and encrypt data files related to popular computer games. Newer variants are less restricted and will encrypt documents, images and many other file types.

Older TeslaCrypt variants encrypted the targeted files using a weaker encryption algorithm that can be broken; multiple parties have created decryption tools to do so (for more information, see ZDNet: TeslaCrypt flaw opens the door to free file decryption) .

Newer variants no longer have the flaw that allows the decryption tools to work, making it almost impossible to recover the affected files without the decryption key.

Once the files are encrypted, a text file containing the ransom demand is saved on the system. In some variants, the desktop background is also changed to display the demand. The file will provide instructions on how to pay the ransom demanded.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Scan & Clean Your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info