Home Malware Programs Ransomware TeslaCrypt Ransomware

TeslaCrypt Ransomware

Posted: February 27, 2015

Threat Metric

Ranking: 10,086
Threat Level: 10/10
Infected PCs: 2,150
First Seen: February 27, 2015
Last Seen: October 2, 2021
OS(es) Affected: Windows

TeslaCrypt is a file encryptor Trojan that targets data related to video gaming applications and modifies the files to be unusable. After its attack, TeslaCrypt generates multiple decryption instructions, which TeslaCrypt uses to force its victims to pay a fee for the restoration of all affected data. In spite of the unusual choice of targets, TeslaCrypt can be hindered by all the usual security procedures malware experts encourage against all file encryptors. Naturally, removing TeslaCrypt infections from any PC can (and should) use industry-standardized anti-malware solutions.

When a Trojan Shoves Your Gaming Life into a Crypt

TeslaCrypt, a suspected upgrade or spinoff of the CryptoWall Ransomware, is a Trojan that generates profit from modifying prominent types of files with an AES encryption function. This feature prevents them from being opened until the process can be reversed (or 'decrypted'). Although this attack is a standard Trojan payload, TeslaCrypt has quickly gained some minor notoriety from specializing in files related to various gaming programs. Games targeted by TeslaCrypt may include ones as massive as World of Warcraft or Call of Duty, down to relatively niche titles, such as RPG Maker or DayZ.

Malware experts also see potential in TeslaCrypt for encrypting files unrelated to games, such as JPG images or Notepad TXT files. However, specialized formats specific to gaming programs, such as DayZ's profiles, also may be included. Unusually, many of the games in TeslaCrypt's list are non-local in terms of data storage, meaning that is no permanent harm to your game account. However, TeslaCrypt also implements a simple form of Windows lockdown during its encryption and corresponding ransom attempt.

TeslaCrypt deletes Shadow Volume Copies and other data used to revert the state of your PC in the event of your invoking a System Restore Point. TeslaCrypt also generates a pop-up window, a desktop wallpaper and an additional, redundant text file, all of which contain instructions on how to recover your encrypted files.

TeslaCrypt's instructions request a surprisingly large payment (between five hundred or one thousand USD, depending on whether the victim uses BitCoin or PayPal) fee in return for its decrypting of your data. TeslaCrypt also provides a well-supported interface for instant messaging its creators and, like some versions of Cryptowall, a 'sample' decryption service that works for a single file.

Breathing TeslaCrypt's Files Back to Life

TeslaCrypt may make the unusual concession of proving that TeslaCrypt can decrypt the above files, but malware researchers would advise you to take advantage of cheaper methods of restoring your files than paying the people behind TeslaCrypt. Remote backups can store your information out of reach of any file-encrypting attacks TeslaCrypt is capable of implementing, and you can reinstall non-local games (such as MMORPGs) once you've uninstalled TeslaCrypt. Deleting TeslaCrypt should be straightforward with standard anti-malware tools, although restarting your PC via additional security steps is expected to be mandatory for disabling TeslaCrypt first.

Gaming assaults aside, TeslaCrypt also is the advent of PayPal-related support for the file encryption 'marketplace.' As one of the few Trojans to support Paypal 'My Cash' cards, TeslaCrypt may mark the onset of future ransomware encroachment into regions less likely to support Ukash and other, previously favored transaction methods.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to TeslaCrypt Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\Microsoft\Crypto\syscop.exe File name: syscop.exe
Size: 250.96 KB (250961 bytes)
MD5: 112a0c0def505c451ae38d3bfdf1bd4e
Detection count: 197
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\Microsoft\Crypto\
Group: Malware file
Last Updated: May 8, 2020
%SystemDrive%\Users\Ankica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\safe00.exe File name: safe00.exe
Size: 251.18 KB (251182 bytes)
MD5: 4f14e9c72c1593a178d8a5d3e36ad334
Detection count: 119
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\Ankica\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: June 14, 2016
10_ae9b21c99e2fe6de0b887fa770e3a8a9c97dd606b806e4034581ac9d49a20a39.exe File name: 10_ae9b21c99e2fe6de0b887fa770e3a8a9c97dd606b806e4034581ac9d49a20a39.exe
Size: 372.73 KB (372736 bytes)
MD5: 4b09737d16730f04f2b69a63b01a5c13
Detection count: 96
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
10_702a052b82756bcc7fb65feb9cb2a09dd355435bec8e4693552f757e28295a43.exe File name: 10_702a052b82756bcc7fb65feb9cb2a09dd355435bec8e4693552f757e28295a43.exe
Size: 414.62 KB (414628 bytes)
MD5: 408a8ff4b1c450a821b92fb6b0a82c5c
Detection count: 95
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
%APPDATA%\Payload22.exe File name: Payload22.exe
Size: 355.32 KB (355328 bytes)
MD5: 7018ffe0b27a6ef44b117d4af65131bd
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%\
Group: Malware file
Last Updated: July 15, 2016
%SystemDrive%\Users\Administrator.Archiv-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setap_c.exe File name: setap_c.exe
Size: 266.03 KB (266031 bytes)
MD5: c5614b16ba6d272f6b4afe6aec9f35b1
Detection count: 33
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\Administrator.Archiv-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: June 14, 2016
%SystemDrive%\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setap02.exe File name: setap02.exe
Size: 251.18 KB (251186 bytes)
MD5: 53949ebc5fb47c3935b10cec7af22686
Detection count: 33
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: June 14, 2016
%SystemDrive%\Users\info\AppData\Local\Siddhi.exe File name: Siddhi.exe
Size: 178.17 KB (178176 bytes)
MD5: 61e49800de3309c4868e6769412e6356
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\info\AppData\Local\
Group: Malware file
Last Updated: April 30, 2016
%SystemDrive%\Users\Jrodefer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe File name: Payload.exe
Size: 292.83 KB (292834 bytes)
MD5: 325b40360e734dd1a6107c8237ebfb64
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\Jrodefer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: June 22, 2016
c6797d3159336b1871daaa8d73ad6b4032eb90a7a9dd053f103c13808b73c830.exe File name: c6797d3159336b1871daaa8d73ad6b4032eb90a7a9dd053f103c13808b73c830.exe
Size: 414.62 KB (414628 bytes)
MD5: 00554b7653f4cbda353e0169b0e73c86
Detection count: 14
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
bfd9843f266e28caa90632742523045f59c21d100d582e89c0a2d402e30f4f10.exe File name: bfd9843f266e28caa90632742523045f59c21d100d582e89c0a2d402e30f4f10.exe
Size: 407.42 KB (407428 bytes)
MD5: 5d775cefc2e47a2f6516a9d33187d580
Detection count: 13
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
b90cd4196a296ea48d068260810b20cfd80c40b9f14f123f61629f360fad050a.exe File name: b90cd4196a296ea48d068260810b20cfd80c40b9f14f123f61629f360fad050a.exe
Size: 417.11 KB (417110 bytes)
MD5: aa603f7f880a1386a6e496a7c8aa927b
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
%SystemDrive%\Users\morlub\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload3.exe File name: Payload3.exe
Size: 271.36 KB (271360 bytes)
MD5: ab36cbde836d67c5a7e145ae80518b35
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\morlub\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: July 15, 2016
b2e5b896cab4ec5efbc17156fda6610db29b6567ebc0d4f7ffad3a49c5d1d32c.exe File name: b2e5b896cab4ec5efbc17156fda6610db29b6567ebc0d4f7ffad3a49c5d1d32c.exe
Size: 414.62 KB (414628 bytes)
MD5: ca10daa30fc6a7362cbbe3beceaa0f83
Detection count: 11
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
aee031587a65e5143c2e3dff967243242ee112414d72525fb21adb9c90968e14.exe File name: aee031587a65e5143c2e3dff967243242ee112414d72525fb21adb9c90968e14.exe
Size: 417.11 KB (417110 bytes)
MD5: e52eac156a0e4a63eab0b7b15e49b52f
Detection count: 10
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
%SystemDrive%\Users\REMOTO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setap00.exe File name: setap00.exe
Size: 253.95 KB (253952 bytes)
MD5: f2aedf8b08ba3b2f3140cb0bc377ea00
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\REMOTO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: June 14, 2016
8_6973fb022aa0b541bedabbbc244509de3f3b19808c8c950a77655df3340b13c6.exe File name: 8_6973fb022aa0b541bedabbbc244509de3f3b19808c8c950a77655df3340b13c6.exe
Size: 326.65 KB (326656 bytes)
MD5: 32eb6c3b8e00088034c80bdc445aec77
Detection count: 6
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
5_b8d0aa06fc1f7d78280880e88ce2f564b527ae739e5b11bdf1affc15118124a1.exe File name: 5_b8d0aa06fc1f7d78280880e88ce2f564b527ae739e5b11bdf1affc15118124a1.exe
Size: 389.12 KB (389120 bytes)
MD5: f53bfff25831e0e05045f83d6c951f3f
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
4_5b4b4b053afac29e5feead93c2c10da0f67c525e592a8b7034e906137656d435.exe File name: 4_5b4b4b053afac29e5feead93c2c10da0f67c525e592a8b7034e906137656d435.exe
Size: 407.77 KB (407770 bytes)
MD5: be2793f99d75b58c973e8252f40811d8
Detection count: 4
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
3_17900b53a17dcc95a5859099faaab1373a3b32238d609dc17aa979c99616d191.exe File name: 3_17900b53a17dcc95a5859099faaab1373a3b32238d609dc17aa979c99616d191.exe
Size: 372.73 KB (372736 bytes)
MD5: ea732ad2760b80088dae0426ace6f18c
Detection count: 3
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
2_6562d8de8ea44f51efb85a00e9a2029f5413d2eb740f22c4306bdbff3fe1c85d.exe File name: 2_6562d8de8ea44f51efb85a00e9a2029f5413d2eb740f22c4306bdbff3fe1c85d.exe
Size: 327.16 KB (327168 bytes)
MD5: cf38ed088d7bc49c32fd4fbff2cff45b
Detection count: 2
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
2_0e3a91c7461752d0c495e11b5ffe512385263ed3bf28510aca5cb77cc1afa907.exe File name: 2_0e3a91c7461752d0c495e11b5ffe512385263ed3bf28510aca5cb77cc1afa907.exe
Size: 408.62 KB (408620 bytes)
MD5: 856e51733c368c88dc6dfd657ffd4a6b
Detection count: 1
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016
%AppData%\key.dat File name: %AppData%\key.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
%AppData%\log.html File name: %AppData%\log.html
Mime Type: unknown/html
Group: Malware file
%Desktop%\CryptoLocker.lnk File name: %Desktop%\CryptoLocker.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp File name: %Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp
Mime Type: unknown/bmp
Group: Malware file
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt File name: %Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt
Mime Type: unknown/txt
Group: Malware file
1_4899dea44c874d4904b68df43980fed064437952dadc96168e8c97e3818d780d.exe File name: 1_4899dea44c874d4904b68df43980fed064437952dadc96168e8c97e3818d780d.exe
Size: 389.12 KB (389120 bytes)
MD5: 8f0ff55fc8c1ab906e112e746c8ffb85
Detection count: 0
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 23, 2016

More files

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+[RANDOM CHARACTERS].html%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+[RANDOM CHARACTERS].txt%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+[RANDOM CHARACTERS].html%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+[RANDOM CHARACTERS].txt%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\payload[RANDOM CHARACTERS].exe%APPDATA%\payload[RANDOM CHARACTERS].exe%USERPROFILE%\DESKTOP\CryptoLocker.lnk%USERPROFILE%\DESKTOP\HELP_TO_DECRYPT_YOUR_FILES.bmp%USERPROFILE%\DESKTOP\HELP_TO_DECRYPT_YOUR_FILES.txtHKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\crypto13

Related Posts