Severity scale:  
  (99/100)

TeslaCrypt virus. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

TeslaCrypt ransomware is a file-encrypting virus which continues to be updated

TeslaCrypt virus
TeslaCrypt is a ransomware-type cyber threat which compromises data and appends .vvv, .ecc, .ccc, .xxx, .micro extensions after the encryption.

Questions about TeslaCrypt virus

TeslaCrypt is a dangerous ransomware-type infection which was first discovered in February 2015 and employed AES, RSA, and ECHD algorithms. Currently, the most notorious versions of this crypto-malware are TeslaCrypt 2.0TeslaCrypt 3.0TeslaCrypt 4.0 and TeslaCrypt 4.1b. However, it continuous to be updated and the newest variant of this cyber threat is Teslacrypt 2.x. Files encrypted by TeslaCrypt contain .xxx, .vvv, .ccc, .ttt, .micro, .ecc, and other extensions. Criminals leave HELP_RESTORE.HTML, RECOVER[5 random symbols].html, and howto_recover_file.txt ransom notes to inform about TeslaCrypt attack. Even though earlier the contrivers of the malware have released a free TeslaCrypt decryptor, it might not be suitable for the newest variant. Thus, users are advised to stay cautious.

Name TeslaCrypt
Type Ransomware
Danger level High
First discovered February 2015
Extensions .ccc, .xxx, .vvv, .ttt, .micro, .ecc or no extension used at all
Ransom notes HELP_RESTORE.HTML; RECOVER[5 random symbols].html; howto_recover_file.txt
Cryptography RSA; AES; ECHD
Versions TeslaCrypt 2.0, TeslaCrypt 3.0, TeslaCrypt 4.0, TeslaCrypt 4.1b, TeslaCrypt 2.x
Distribution It can infiltrate the system via infected spam email
Decryptable You can find a free TeslaCrypt decryption tool at the end of this article
Removal Before proceeding to data recovery, you must uninstall TeslaCrypt ransomware. For that, download Reimage

Similarly to its predecessors Cryptowall, Cryptolocker, Simplelocker and Threat Finder, TeslaCrypt arrives at the system with the help of spam. Once it drops its files onto the target computer, TeslaCrypt ransomware checks it for sensitive information, such as the following:

  • specific files;
  • business documents;
  • videos;
  • pictures;
  • etc.

Beware that Tesla Crypt virus can also try to encrypt your games and their files. It is known that it has already affected PC users who were playing the following computer games:

  • World of Tanks;
  • World of Warcraft;
  • StarCraft;
  • MineCraft;
  • Dragon Age;
  • RPG Maker;
  • Steam.

For disabling its victims from the use of their data, TeslaCrypt ransomware uses a strong algorithm known as AES encryption[1]. As a result, all extensions of affected files are changed to .vvv, .ccc, .ecc,  and similar suffixes. However, experts detected that this is not the only algorithm used by TeslaCrypt ransomware. Additionally, it has employed RSA and ECHD ciphers for data encryption.

You know that you are infected with TeslaCrypt ransomware when you find a file called howto_recover_file.txt on your computer's desktop. After clicking it, you should see such warning message but it might differ depending on the version of TeslaCrypt virus:

Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click “Show encrypted files” Button to view a complete list of encrypted files, and you can personally verify this.

Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key.

The only copy of the private key, which allow you to decrypt your files, is located on a secret server in the Internet; the server will eliminate the key after a time period specified in this window.
Once this has been done, nobody will ever be able to restore files…

At the time of research, the TeslaCrypt virus distribution method was unknown, however, following successful infiltration on computer systems, the software scans all drives and encrypts certain file types using AES encryption. Encrypted files will have the .ecc extension applied to the filename.

As you can see, this ransom note by TeslaCrypt claims that the user has to pay a fine of $500 or even $1000[2] in exchange for TeslaCrypt decryption key that is needed to unblock the affected information. This payment should be sent via PayPal My Cash cards using TOR browser.

That's how the developers of Tesla Crypt virus that are still unknown for governmental authorities are trying to hide. Victims can pay their ransoms in a form of Bitcoins and PayPal transactions. However, for those who are using this payment system, the ransom is increased twice to recover files encrypted by TeslaCrypt ransomware.

Talking about TeslaCrypt in retrospective, we could say that it was primarily aimed at small businesses and online companies; However, home computer users had to deal with this TeslaCrypt malware as well. As we have already mentioned, the ransomware was updated a few times, and the improvements were made to its distribution[3] strategies as well.

As a result, TeslaCrypt managed to increase its distribution rate from 200 to almost 2000 infected PC systems per day. Unsurprisingly, security experts have already labeled TeslaCrypt as one of the most dangerous viruses of 2016, despite the fact that the hackers have ended this project in May 2016[4]. IT security company ESET immediately created the TeslaCrypt decryption tool and started helping victims of the ransomware to rescue their files.

Although, keep in mind that you must remove TeslaCrypt ransomware before you head to the data recovery. Experts note that there is no need to agree paying the ransom, as you can easily get back your data with the free TeslaCrypt decryption software. 

You can get Reimage to help you with TeslaCrypt removal. Ransomware-type infections are hard to detect and eliminate. Thus, professionals security tools come in hand when novice computer users are struggling with the procedure. Just download the antivirus and run a full system scan. It may take up to several minutes before your PC is clean once again.

TeslaCrypt 2.x ransomware version has been recently spotted in the cyber space

Recently, cybersecurity experts have discovered a new version of TeslaCrypt. The new crypto-malware is named as TeslaCrypt 2.x as it is similar to the previous variants of the file-encrypting virus. Currently, the cyber threat is relatively new. So, there is not much information about its peculiarities.

However, TeslaCrypt 2.x ransomware is based on the same source-code as its predecessor. Likewise, files are encrypted using one of the following algorithms as before:

  • AES;
  • RSA;
  • ECHD.

Luckily, not many victims have been infected with TeslaCrypt 2.x just yet. However, experts recommend you to stay cautious as files encrypted by TeslaCrypt 2.x ransomware might or might not be recovered with the official decryption tool. Unfortunately, updated crypto-viruses include a more sophisticated attack methods. So, it might be difficult to get back the compromised data.

Despite that, if you notice that your PC is infected, you must remove TeslaCrypt 2.x ransomware immediately. For that, use one of our recommended and certified security tools to ensure that none of the ransomware-related components are left on the system.

Spam emails remain the most common malware distribution technique

Similar to other ransomware-type infections, this virus spreads with the help of malicious spam emails[5]. Usually, they come to the inbox as innocent-looking letters to trick users into opening them. 

Experts discovered that TeslaCrypt virus spreads as an invoice_2h04qd.js email attachment. However, this is merely an attempt to lure you into downloading the payload of the malware.

The subject line claims 'Required your attention'. Please, do NOT open such message and do NOT download this attachment to your computer. No matter how tempting it looks, all what it seeks is to infect your computer with TeslaCrypt.

Of course, there is no guarantee that you won't run into other campaign used for distributing this ransomware. That's why you should always check the sender and, if you don't know it well, remove such email message from your inbox.

The evolution of TeslaCrypt ransomware virus

TeslaCrypt 2.0 is a ransomware which uses ECHD algorithm to encrypt most widely used files on the infected system. The compromised data is appended with .vvv file extension and becomes unaccessible. Victims are demanded to pay $500 in order to get back the access to the encoded information. Unfortunately, experts warn that you might be scammed by the attackers. So, the wisest decision is to remove TeslaCrypt 2.0 ransomware and use an official decryption software.

  • .vvv File Extension virus. After infecting the system and encrypting useful files, it changes their extensions to .vvv and drops HOW_RECOVER.HTML, HELP_RESTORE.HTML, HOW_RECOVER.TXT or HELP_RESTORE.TXT document on the desktop. According to it, the victim has to pay the ransom for getting an ability to use his/hers files again. Please, do NOT pay it because you can lose your money.

The initial and the second version of TeslaCrypt use the same key to encrypt and also to decrypt the files, and after the decryption process, these viruses leave specific traces that can help the user to find the decryption key. Besides, using the flaw in the program code of these viruses, some security experts have already invented some TeslaCrypt and TeslaCrypt 2.0 decryption tools that can help you to decrypt your files.

TeslaCrypt 3.0 version has its flaw patched and after the virus encrypts the files, it deletes the decryption key from the computer. As a result, it becomes much harder to recover the lost data. TeslaCrypt third edition demands more than 400 USD dollars in exchange for a decryption key.

  • .ccc File Extension virus is also known as a seriously dangerous application that seeks to disable its victim from opening his/hers files. It does that by encrypting them with an advanced encryption technology. As a result, all extensions of important files are turned into .ccc. If you can't open your files and you can see such extensions, there is a huge possibility that you are infected with .ccc File Extension ransomware. In this case, you should remove infected files of .ccc File Extension virus to prevent the further loss of your files.
  • .xxx File Extension virus – this version of TeslaCrypt 3 also makes victim's files inaccessible and embeds .xxx extension to the filenames of affected victim's records. If you see that these extensions were added to your files, it is a sign that you cannot access them anymore. The price for a .xxx File Extension virus decryption tool is around 400 dollars as well. Unfortunately, we do not recommend you to pay up because you might not receive the decryption tool at all.
  • .ttt File Extension virus – the appearance of .ttt file extensions unexpectedly added to the filenames on your computer reveals the existence of the third version of TeslaCrypt virus. Just like other variants of TeslaCrypt 3.0 (.xxx, .micro, .ccc file extension viruses), .ttt File Extension virus commands to pay for the decryption key. Unfortunately, there is no guarantee that cybercriminals will give you the decryption key if you pay up.
  • .micro File Extension virus is a version of third TeslaCrypt variant. After encrypting victim's files, it adds .micro file extension to their filenames. The ransom demanded by cybercriminals is also equal to approximately 400 USD. It acts the same as any other TeslaCrypt 3.0 variant.

TeslaCrypt 4.0 is regarded as the most advanced variant of that virus. This virus no longer adds additional file extensions to the filenames. It also uses a complex encryption algorithm – RSA-4096. TeslaCrypt 4.0 drops ransom notes titled as RECOVER[5 random symbols].html. Unfortunately, the encryption algorithm this malware uses is nearly unbreakable, so you must take precautions and secure your files in case your computer gets affected by this virus. You should read this article – Why do I need backup and what options do I have for that?

TeslaCrypt 4.1b is currently the latest version of the TeslaCrypt virus. The researchers are still finding out new features which have been added to this newest edition. So far, it seems that the encryption process and the amount of ransom demanded in exchange to the encrypted files has not undergone any changes. Yet, new gateways were added to the list of websites where the victims can issue payments for their files. It was also found that this virus uses WMIC (Windows Management Instrumentation Command-line)[6] to delete the shadow copies of the files on the PC so that it would be impossible for the user to restore these files from the system backup. In general, the differenced of this program in comparison to its predecessors are slight.

Protect your PC by uninstalling TeslaCrypt virus

Victims rush to recover files encrypted by this dangerous cyber threat. Although, first you must remove TeslaCrypt ransomware to protect your computer from further damage. Security researchers note that crypto-viruses are capable of infiltrating the systems with more cyber threats. 

Likewise, TeslaCrypt removal is urgent if you don't want to permanently damage your computer. The minute you notice that your system is infected, you must perform the following tasks to protect it:

  • Disconnect your computer from the Internet;
  • Run a full system scan with Reimage and remove infected files from your computer;
  • UPDATE. TeslaCrypt project was shut down in May, 2016. Cyber criminals have revealed master key that allows victims decrypt their files for free. If your files are encrypted by Teslacrypt, use this TeslaCrypt decryption tool to recover them.

We recommend performing the automatic TeslaCrypt removal on your computer right after finding out that you are infected. Scan your computer with an updated malware removal program, for example Reimage or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. If you cannot install or run a full system scan, follow the instructions below to get access to your computer and launch the anti-spyware program. 

Manual TeslaCrypt removal is NOT recommended as it is a complicated process which requires professional, computer-related knowledge. If malware prevents you from launching your antivirus or anti-spyware program, reboot your computer to the Safe Mode with Networking or try System Restore. Each of these methods are explained below.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove TeslaCrypt virus, follow these steps:

Remove TeslaCrypt using Safe Mode with Networking

If you can't launch anti-spyware, reboot your computer to Safe Mode with Networking with the help of these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove TeslaCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete TeslaCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove TeslaCrypt using System Restore

If System Restore does not help you launch your anti-spyware, you can also try System Restore method. For that, follow the instructions given below and then run a full system scan with malware removal software.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of TeslaCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that TeslaCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove TeslaCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by TeslaCrypt, you can use several methods to restore them:

Data Recovery Pro – alternative tool for data recovery

If TeslaCrypt decryption tool does not recover all decrypted files, we suggest giving Data Recovery Pro a try. This tool helps to restore accidentally deleted or corrupted files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by TeslaCrypt ransomware;
  • Restore them.

Using Windows Previous Versions feature to recover files encrypted by TeslaCrypt virus

If you had System Restore enabled on your computer before infiltration of Teslacrypt, use the steps given below to recover your files. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

TeslaCrypt decryption tool

Fortunatelly, ESET released a free decryption tool that help to decrypt files damaged by the TeslaCrypt ransomware. You can download it from here.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from TeslaCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References

Removal guides in other languages