It can infect multiple types of files, but among the most infected are video game files, including, but not limited …show more content…
The Teslacrypt binary itself is compiled with Visual C++. When it is created, this executable will launch and begin scanning the user 's drives for data it can encrypt. Once a file is targeted, Teslacrypt will encrypt it via an AES cipher, store sha-256 of different keys in key.dat and create a new file extension. File extensions vary depending on the version of Teslacrypt the computer is infected with. Currently, the known file extensions are: ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc. One version of Teslacrypt didn 't even change the file extensions. The supported data flies that Teslacrypt can encrypt are: .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .sc2save, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mcgame, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .001, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .DayZProfile, .rofl, .hkx, .bar, .upk, .das, …show more content…
The malware will scan all of your drive letters. Once it finishes the encryption, it will delete all Shadow Volume copies on the computer, making restoring information from a previous backup very difficult. After it encrypts a specific list of files, it will connect to the command server via TOR network (a free software for anonymous communication) using TOR proxies. After the encryption is complete, the application will be displayed, essentially functioning as a ransom note. A text file denoting the encryption and ransom details will be created in every folder containing an encrypted file as well as on the desktop. The ransomware will also change your desktop wallpaper to a BMP file located on the desktop. This ransom note contains information on how to access the payment site and how to get your personal information decrypted. It also allows for a single file to be decrypted as proof that the user will be able to get all of their files back. The malware gave the user an option to pay using BitCoin, PaySafeCard, PayPal, or Ukash. The PayPal option was removed later, however. Once infected, the user 's only hope was to either pay the ransom or restore from a backup. However, because Teslacrypt deletes