October’s Microsoft Malicious Software Removal Tool (MSRT) includes detection and remediation for the following families:
This blog focuses on the ransomware family Tescrypt.
Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:
- Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
- Encrypts the files with AES 256 hash encryption
- Demands payment from the PC’s user in exchange for a key or code that will decrypt the files
It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.
Recent variants, however, store the key in the registry as binary data.
The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:
- .qdf –
- .t12/ .t13
We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.
Figure 1: Tescrypt encounters since August 2015
Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.
Figure 2: Countries most affected by Tescrypt infections
This malware usually arrives as a payload of exploit kits. It can also be downloaded by other malware. The exploit kits we’ve seen distributing Tescrypt include:
Tescrypt has used the alias “Tesla Crypt” (and “Alpha Crypt” in earlier variants, see Figure 3), and in some cases mimics other ransomware families such as Crilock and Crowti by displaying similar screen prompts (see Figures 4 and 5).
Figure 3: Alpha Crypt
Figure 4: Example of Tescrypt that mimics Crilock
Figure 5: Example of Tescrypt that mimics Crowti
Prevention and remediation
Our general ransomware recommendations apply for Tescrypt.
The best defense against ransomware is pre-defense: make sure you have important documents, files, and databases securely backed up in disconnected or remote storage. This can be as simple as a flash drive or a removable hard disk that you save files to once a week and then disconnect from your PC.
If you are infected, Microsoft recommends you don’t pay the fine. There is no guarantee that paying the ransom will give you access to your files. Paying extortion money such as a ransom might only encourage cybercrime to be financially successful.
However, if you’ve already paid, see our ransomware page for help on what to do now.
You might be able to use the Talos TeslaCrypt Decryption Tool to recover your encrypted files. However, Microsoft makes no representations or warranties that the tool will recover your files.
Microsoft’s general antimalware remediation instructions also apply.
Run antivirus or antimalware software
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Get more help
If you’re using Windows XP, see our Windows XP end of support page.
Adding a prevalent ransomware like Tescrypt, along with adding other malware, helps widen our coverage in protecting and remediating PCs that regularly run and apply the monthly MSRT update.
The MSRT update is delivered automatically by default to PCs running Windows Vista and later. You can also manually download and run the tool at any time by visiting the Malicious Software Removal Tool page at the Microsoft Safety & Security Center.