Microsoft Tackles TeslaCrypt Ransomware

Ransomware is a new threat that is proving an effective attack vector for malware. Microsoft has released a rescue tool for thousands of Windows machines that were infected starting in August by file-encrypting ransomware TeslaCrypt. Along with October’s updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt. Microsoft refers to the treat as Tescrypt, but their telemetry data picked up a large spike in detections for TeslaCrypt in late August, jumping from below 1,000 detections per day to over 3,500 detections on August 24.

The malware is typically delivered in the payload of several exploit kits, including Angler. Exploit kits are part of the estimated $60m per year automated hacking market, which companies like Cisco have tried to disrupt several times. You can download the Microsoft rescue tool here.

You can read more about what Microsoft is able to detect, and their efforts to protect Windows users, here.

Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:

  1. Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
  2. Encrypts the files with AES 256 hash encryption
  3. Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

Recent variants, however, store the key in the registry as binary data.

The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

  • .arch00 
  • .d3dbsp 
  • .dayzprofile
  • .ibank 
  • .mcgame​
  • .qdf –
  • .rofl 
  • .sav
  • .t12/ .t13
  • .tax 
  • .vfs0 
  • .vpp_pc 
  • .w3x


We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

Graph showing number of Tescrypt infections during August and September 2015 

Figure 1: Tescrypt encounters since August 2015

Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.