Severity scale:  

TeslaCrypt virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

The evolution of TeslaCrypt ransomware

Teslacrypt virus is one of the most notorious and the most dangerous crypto-ransomware infections that first came to light in the late February 2015 and since then has quickly evolved into an extensive extortion business. The virus growth and development can be observed looking through its follow-up versions TeslaCrypt 2.0TeslaCrypt 3.0TeslaCrypt 4.0 and TeslaCrypt 4.1b. These regular updates suggest that ransomware must have constantly shifted its shapes and forms. And that’s exactly the case: earlier virus variants used browser extensions such as .vvv, .ccc, .xxx, .micro, .ttt to indicate encrypted files while the most recent versions apply no extensions at all. The virus developers have also switched between different ransom notes. The experts count a few, including howto_recover_file.txt, HELP_RESTORE.HTML and RECOVER[5 random symbols].html. The criminals also experimented with data encryption, not limiting themselves to the typical AES and RSA algorithms but also employing more unusual ciphers such as ECHD to render victims’ data unreadable. Despite all the work that has been put into building up this threat, its developers have eventually given up their pursuit and released the master key which allowed ransomware victims to remove Teslacrypt from their computers and recover encrypted files for free.

TeslaCrypt virus

Similarly to its predecessors Cryptowall, Cryptolocker, Simplelocker and Threat Finder, TeslaCrypt arrives at the system with the help of spam. Once it drops its files onto the target computer, it checks it for sensitive information, such as specific files, business documents, videos, pictures, and similar data. Beware that Tesla Crypt virus can also try to encrypt your games and their files. It is known that it has already affected PC users who were playing World of Tanks, World of Warcraft, StarCraft, MineCraft, Dragon Age, RPG Maker, and Steam. For disabling its victims from the use of their data, this ransomware uses a strong algorithm known as AES encryption[1]. As a result, all extensions of affected files are changed to .vvv, .ccc and similar extensions.

Questions about TeslaCrypt virus

You know that you are infected with TeslaCrypt ransomware when you find a file called howto_recover_file.txt on your computer’s desktop. After clicking it, you should see such warning message:

Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click “Show encrypted files” Button to view a complete list of encrypted files, and you can personally verify this.
Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.
The only copy of the private key, which allow you to decrypt your files, is located on a secret server in the Internet; the server will eliminate the key after a time period specified in this window.
Once this has been done, nobody will ever be able to restore files…
At the time of research, the TeslaCrypt virus distribution method was unknown, however, following successful infiltration on computer systems, the software scans all drives and encrypts certain file types using AES encryption. Encrypted files will have the .ecc extension applied to the filename.

As you can see, this notification claims that the user has to pay a fine of $500 or even $1000[2] in exchange for the decryption key that is needed to unblock the affected information. This payment should be sent via PayPal My Cash cards using TOR browser. That’s how the developers of Tesla Crypt virus that are still unknown for governmental authorities are trying to hide. Victims can pay their ransoms in a form of Bitcoins and PayPal. However, for those who are using this payment system, the ransom is increased twice.

Talking about TeslaCrypt in retrospective, we could say that it was primarily aimed at small businesses and online companies; however, home computer users had to deal with this malware as well. As we have already mentioned, the ransomware was updated a few times, and the improvements were made to its distribution[3] strategies as well. As a result, Teslacrypt managed to increase its distribution rate from 200 to almost 2000 infected PC systems per day. Unsurprisingly, security experts have already labeled it the most dangerous virus of 2016, despite the fact that the hackers have ended this project in May 2016[4]. IT security company ESET immediately created the TeslaCrypt decryption tool and started helping victims of the ransomware to rescue their files.

Ransomware uses spam to infiltrate computers

According to the latest reports, you can get infected with TeslaCrypt virus with the help of misleading email messages[5] that have an attachment called invoice_2h04qd.js. Such emails claim that you were approved for special prices, just as you requested. The subject line claims ‘Required your attention’. Please, do NOT open such message and do NOT download this attachment to your computer. No matter how tempting it looks, all what it seeks is to infect your computer with TeslaCrypt. Of course, there is no guarantee that you won’t run into other campaign used for distributing this ransomware. That’s why you should always check the sender and, if you don’t know it well, remove such email message from your inbox.

The list of TeslaCrypt versions:

TeslaCrypt 2.0 is a dangerous ransomware-type application capable of encrypting files on the infected PC system. It does that with the help of an ECHD algorithm that creates a different master key for each of infected computers. All extensions of files encrypted by TeslaCrypt 2.0 are changed to .VVV. The text of a warning message is the same as the one that is used by CryptoWall virus, so it claims that the victim has to pay 500 USD or euros for decrypting encrypted files. Unfortunately, but there is no guarantee that this will help you to get your files back. It would be wiser to remove TeslaCrypt 2.0 and restore affected files with the help of their extra copies.

  • .vvv File Extension virus. After infecting the system and encrypting useful files, it changes their extensions to .vvv and drops HOW_RECOVER.HTML, HELP_RESTORE.HTML, HOW_RECOVER.TXT or HELP_RESTORE.TXT document on the desktop. According to it, the victim has to pay the ransom for getting an ability to use his/hers files again. Please, do NOT pay it because you can lose your money.

The initial and the second version of TeslaCrypt use the same key to encrypt and also to decrypt the files, and after the decryption process, these viruses leave specific traces that can help the user to find the decryption key. Besides, using the flaw in the program code of these viruses, some security experts have already invented some TeslaCrypt and TeslaCrypt 2.0 decryption tools that can help you to decrypt your files.

TeslaCrypt 3.0 version has its flaw patched and after the virus encrypts the files, it deletes the decryption key from the computer. As a result, it becomes much harder to recover the lost data. TeslaCrypt third edition demands more than 400 USD dollars in exchange for a decryption key.

  • .ccc File Extension virus is also known as a seriously dangerous application that seeks to disable its victim from opening his/hers files. It does that by encrypting them with an advanced encryption technology. As a result, all extensions of important files are turned into .ccc. If you can’t open your files and you can see such extensions, there is a huge possibility that you are infected with .ccc File Extension ransomware. In this case, you should remove infected files of .ccc File Extension virus to prevent the further loss of your files.
  • .xxx File Extension virus – this version of TeslaCrypt 3 also makes victim’s files inaccessible and embeds .xxx extension to the filenames of affected victim’s records. If you see that these extensions were added to your files, it is a sign that you cannot access them anymore. The price for a .xxx File Extension virus decryption tool is around 400 dollars as well. Unfortunately, we do not recommend you to pay up because you might not receive the decryption tool at all.
  • .ttt File Extension virus – the appearance of .ttt file extensions unexpectedly added to the filenames on your computer reveals the existence of the third version of TeslaCrypt virus. Just like other variants of TeslaCrypt 3.0 (.xxx, .micro, .ccc file extension viruses), .ttt File Extension virus commands to pay for the decryption key. Unfortunately, there is no guarantee that cybercriminals will give you the decryption key if you pay up.
  • .micro File Extension virus is a version of third TeslaCrypt variant. After encrypting victim’s files, it adds .micro file extension to their filenames. The ransom demanded by cybercriminals is also equal to approximately 400 USD. It acts the same as any other TeslaCrypt 3.0 variant.

TeslaCrypt 4.0 is regarded as the most advanced variant of that virus. This virus no longer adds additional file extensions to the filenames. It also uses a complex encryption algorithm – RSA-4096. TeslaCrypt 4.0 drops ransom notes titled as RECOVER[5 random symbols].html. Unfortunately, the encryption algorithm this malware uses is nearly unbreakable, so you must take precautions and secure your files in case your computer gets affected by this virus. You should read this article – Why do I need backup and what options do I have for that?

TeslaCrypt 4.1b is currently the latest version of the TeslaCrypt virus. The researchers are still finding out new features which have been added to this newest edition. So far, it seems that the encryption process and the amount of ransom demanded in exchange to the encrypted files has not undergone any changes. Yet, new gateways were added to the list of websites where the victims can issue payments for their files. It was also found that this virus uses WMIC (Windows Management Instrumentation Command-line)[6] to delete the shadow copies of the files on the PC so that it would be impossible for the user to restore these files from the system backup. In general, the differenced of this program in comparison to its predecessors are slight.

TeslaCrypt removal steps

If this threat has already infected your computer and encrypted your data, you need to perform the following tasks:

  • Disconnect your computer from the Internet;
  • Run a full system scan with Reimage and remove infected files from your computer;
  • UPDATE. TeslaCrypt project was shut down in May, 2016. Cyber criminals have revealed master key that allows victims decrypt their files for free. If your files are encrypted by Teslacrypt, use this TeslaCrypt decryption tool to recover them.

We recommend performing the automatic TeslaCrypt removal on your computer right after finding out that you are infected. Scan your computer with an updated malware removal program, for example Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus. If you cannot install or run a full system scan, follow the instructions below to get access to your computer and launch the anti-spyware program. Manual TeslaCrypt removal is NOT recommended as it is a complicated process which requires professional, computer-related knowledge. If malware prevents you from launching your antivirus or anti-spyware program, reboot your computer to the Safe Mode with Networking or try System Restore. Each of these methods are explained below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove TeslaCrypt virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall TeslaCrypt virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove TeslaCrypt virus, follow these steps:

Remove TeslaCrypt using Safe Mode with Networking

If you can’t launch anti-spyware, reboot your computer to Safe Mode with Networking with the help of these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove TeslaCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete TeslaCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove TeslaCrypt using System Restore

If System Restore does not help you launch your anti-spyware, you can also try System Restore method. For that, follow the instructions given below and then run a full system scan with malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of TeslaCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that TeslaCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove TeslaCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by TeslaCrypt, you can use several methods to restore them:

Data Recovery Pro – alternative tool for data recovery

If TeslaCrypt decryption tool does not recover all decrypted files, we suggest giving Data Recovery Pro a try. This tool helps to restore accidentally deleted or corrupted files.

Using Windows Previous Versions feature to recover files encrypted by TeslaCrypt virus

If you had System Restore enabled on your computer before infiltration of Teslacrypt, use the steps given below to recover your files. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

TeslaCrypt decryption tool

Fortunatelly, ESET released a free decryption tool that help to decrypt files damaged by the TeslaCrypt ransomware. You can download it from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TeslaCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions


Removal guides in other languages