What is TeslaCrypt?

TeslaCrypt is virus that belongs to ransomware category of crypto-viruses. TeslaCrypt encrypts important documents, images, presentations using AES encryption. Then it demands a payment (ransom) for decryption key that will allow user to restore the files. One of the “features” of TeslaCrypt is that it also encrypts game files of 40+ popular games like Dota, Minecraft, World of Warcraft etc. TeslaCrypt modifies affected files adding extension .ecc (or VVV, .ZZZ, .TTT, .MICRO, .XXX). After this it demands ransom in bitcoins (1 – 2 BTC or approximately $400 – $800). There is several known ways to returm your files but there is no guaranteed way as hackers modify TeslaCrypt to make it unbreakable. Use instructions below to remove TeslaCrypt virus and decrypt .ecc or .xxx files.

teslacrypt

How TeslaCrypt gets on your PC?

All viruses of this kind usually distributed with spam e-mails. But sometimes you can get infected when running files downloaded from torrents or following links in Skype-bot spam. While encrypting your files, TeslaCrypt will also create text files in every folder of your computer where it encrypted files. File name is “HELP_TO_DECRYPT_YOUR_FILES.txt” and it contains text instructions to pay the ransom and decrypt your files. Use crypto-protection software to protect from files encryption.

How to remove TeslaCrypt from your computer?

To remove TeslaCrypt, then delete all files and regkeys.

In our view, there are 3 products that potentially have TeslaCrypt in their database. You can try to use them for removing TeslaCrypt.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to TeslaCrypt – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

Alternative Solution:

Norton Antivirus – detects files, registry values and folders of viruses that show the same behavior as TeslaCrypt.

 

Download Norton
 

You can try both of these products to remove TeslaCrypt

Step 2: Remove following files and folders of TeslaCrypt:

Remove following registry entries:

no information

Remove following files:

%AppData%\.exe
%AppData%\key.dat
%AppData%\log.html
%LocalAppData%\(random).exe
%LocalAppData%\storage.bin
%LocalAppData%\log.html
%Desktop%\Save_Files.lnk
%Desktop%\CryptoLocker.lnk
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.bmp
%Desktop%\HELP_TO_DECRYPT_YOUR_FILES.txt
%Desktop%\HELP_TO_SAVE_FILES.txt
%Desktop%\HELP_TO_SAVE_FILES.bmp
%Documents%\RECOVERY_FILE.TXT
%Desktop%\HELP_RESTORE_FILES.bmp
%Desktop%\HELP_RESTORE_FILES.txt
HELP_RESTORE_FILES_.txt

How to decrypt files infected by TeslaCrypt (.ecc files)?

Use automated decryption tools

Tool 1: There is open source command line utility for decrypting TeslaCrypt ransomware encrypted files called Talos TeslaCrypt Decryption Tool. It is the most effective tool available today for .ecc files decryption. Download it from this page:

Download TeslaCrypt Decryption Tool

Tool 2: There is decryption tool for older versions of TeslaCrypt called TeslaDecoder. You can use it to decrypt your files for free. Download it here:

Download TeslaDecoder

There is currently no automated decryption tool for TeslaCrypt v.4 files, but that doesn’t mean that you need to pay the ransom. We track the topic and will add any new decryption tool available in this part of the article. Now you can try to use manual methods to restore and decrypt .ecc, .ttt, .xxx, .micro files.

Decrypt .ecc files manually

Restore the system using System Restore

system restore

Although, latest versions of TeslaCrypt remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

  1. Initiate the search for ‘system restore
  2. Click on the result
  3. Choose the date before the infection appearance
  4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged (in our case – encrypted by TeslaCrypt). This feature is available in Windows 7 and later versions.

windows previous versions

  1. Right-click the file and choose Properties
  2. Open the Previous Version tab
  3. Select the latest version and click Copy
  4. Click Restore

Restore .ecc files using shadow copies

shadow explorer gui

  1. Download and run Shadow Explorer.
  2. Select the drive and folder where your files are located and date that you want to restore them from.
  3. Right-click on folder you want to restore and select Export.
  4. Once the scanning process is done, click Recover to restore your files.

Protect your computer from ransomware

hitmanpro alert with cryptoguard

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Information provided by: Alexey Abalmasov

Leave a Reply

Your email address will not be published. Required fields are marked *