Ransom:Win32/Tescrypt.A

Installation

This threat copies itself as a randomly named file in the %APPDATA% folder (for example, C:\Documents and Settings\<username>\Application Data\qubmvec.exe, C:\Users\<username>\AppData\Roaming\qubmvec.exe).

It might also install the following files in the %APPDATA% folder:

• key.dat - user specific bitcoin address
• log.html - contains a list of encrypted files

It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: crypto13 
With data: C:\Documents and Settings\<username>\Application Data\<random>.exe

As of April 2015, we have observed an increase in Tescrypt activity as it gets dropped by a few exploit kits such as Exploit:SWF/Axpergle (Angler), Exploit:JS/Neclu (Nuclear), JS/Fiexp (Fiesta), and JS/Anogre (Sweet Orange).

Payload

Encrypts your files

This ransomware can search for files in all of the folders with the following extensions and then encrypt them:   

After the files are encrypted, the ransomware renames the files by appending ".ecc", "exx" or ".ezz" in the affected file extension. For example, from .png to .png.ecc, or .jpg  to .jpg.ezz.

It displays a dialog box similar to the following screenshots:

Your PC desktop background may also display this message:

As of May 8, 2015, we have seen that when you click the ransomware window button, it opens a dialog box similar to the following screenshot:

 Then it opens the decryption site:

When you enter the BitCoin address supplied to access the Alpha Crypt payment page, it displays an encryption notification message similar to the following screenshot:

This ransomware also creates the following files under %desktopdirectory%

• CryptoLocker.lnk - points to and runs the malicious executable file in %APPDATA% folder
• HELP_TO_DECRYPT_YOUR_FILES.TXT - contains encryption message or notification
• HELP_TO_DECRYPT_YOUR_FILES.BMP - sets the file as the desktop wallpaper that also contains encryption message or notification
• HELP_TO_SAVE_FILES.bmp
• HELP_TO_SAVE_FILES.txt

It also deletes shadow files to prevent you from restoring your files from a local backup.

Analysis by Jireh Sanico

Advanced troubleshooting

You might be able to use the Talos TeslaCrypt Decryption Tool to recover your encrypted files. However, Microsoft makes no representations or warranties that the tool will recover your files.

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

You can also ask for help from other PC users at the Microsoft virus and malware community.

If you’re using Windows XP, see our Windows XP end of support page.