Blog

Rajib Singha
New Ransomware Alert! TeslaCrypt is After Your Game Files
March 27, 2015

The ransomware menace is becoming a sore of the Internet. Just last month, we had released an extensive blog post about the alarming growth in ransomware attacks across the world. There are around 12 families of ransomware detected in the wild as of now. And joining the gang is a new member called TeslaCrypt.

TeslaCrypt_encryptes_saved_games

What is Ransomware?
Ransomware is a sophisticated malicious program that takes control (hijacks) of the infected computer or its data, and demands money (ransom) from its victim. Ransomware is broadly classified into two types:

1. The first type is an Ecryptor. This ransomware encrypts (converts information into a code) the infected computer’s data including images, videos, documents, presentations, and spreadsheets. It demands a ransom to decrypt the files.

2. The second type is a Screen Locker. As the name suggests, this program freezes or locks up the victim’s computer, and makes it nonfunctional, until a ransom is paid.

What is TeslaCrypt?
TeslaCrypt is a new ransomware in the town. It works in a similar way as other encrypting ransomware. Once inside the system, it starts looking for data including images, docs, spreadsheets, PowerPoint presentations, etc. However, unlike the others, it also seeks out saved game files (replays, maps, configurations, etc.) in the infected computer. Having found the files, the malware starts converting them into an encrypted form which can be only accessible by a user who has a private key to it. And to get this key, the victim has to pay a ransom of 1.5 Bitcoins (about $373.92).

teslacrypt_ransomware_screen

Who are the Primary Targets?
1. Users of MS Windows
2. PC Gamers

What Games are being targeted by TeslaCrypt?
Presently, the following games are known to have been targeted by this ransomware:

• Call of Duty • RPG Maker
• World of Warcraft • League of Legends
• DayZ • Dragon Age
• Minecraft • StarCraft
• Fallout and Diablo • World of Tanks
• Bethesda Softworks File • F.E.A.R. 2
• Steam NCF Valve Pack • EA Sports
• Unreal 3 • Unity Scene
• Assassin’s Creed • Skyrim animation
• Bioshock 2 • DayZ profile file
• RPG Maker VX RGSS • Unreal Engine 3 Game File
• S.T.A.L.K.E.R. • Dragon Age Origins

How Can TeslaCrypt Infect your Computer?
TeslaCrypt mostly spreads via spam emails where it may be hidden in the form of a downloadable attachment. Such emails also contain links to malicious websites, visiting which may download the ransomware automatically on the user’s machine.

Files Infected by TeslaCrypt

Files with following extension get encrypted by TeslaCrypt.

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .allet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt,

Steps to Stay Away from Ransomware
1. Never download attachments or click on links in emails received from unwanted or unexpected sources, even if the source looks familiar.
2. Don’t respond to pop-up notifications or alerts while visiting unfamiliar websites.
3. Apply all recommended security updates to your OS, software, and Internet browsers, if not already.
4. Have a security software installed in your PC that efficiently blocks spam and malicious emails, and automatically restricts access to malicious websites.

THE MOST IMPORTANT STEP TO TAKE!
Regular data backup is the only way you can recover from a ransomware attack. Once TeslaCrypt encrypts your files, there is no way that you can decode them without buying the private key. And paying crooks is something we and even the law enforcement do not recommend.

So, take regular backups of all the important files you have on your computer. We recommend you to begin the backup procedure offline and not when you are connected to the Internet. This is because, ransomware also target files in external storage drives. And once you are done, disconnect the backup drive.

What to do if your Computer is Infected with TeslaCrypt?
1. Disconnect your system from the Internet.
2. Disconnect any external storage devices connected to your computer.
3. Run a virus scan on your computer.
4. Get help from a local computer expert to ensure that the infection is gone. Thereafter, you can restore your files from your backup. Running a System Restore may also help.

How can Quick Heal help?
Quick Heal helps prevent ransomware infections with its real-time Email Security that blocks spam, infected and malicious emails. Its Web Security feature automatically blocks infected and malicious websites. Also, Quick Heal detects TeslaCrypt as Ransom.Tescrypt.A4 and proactively blocks the infection.

subscribe to blog button

Have something to add to this story? Share it in the comments.

Rajib Singha
About Rajib Singha
Rajib is a Physics graduate and a technology enthusiast. Besides having a keen interest in the latest gadgets, he is also into IT security and all that it...
Articles by Rajib Singha »

44 Comments

Your email address will not be published.

CAPTCHA Image

  1. Ashish RaneMarch 27, 2015 at 3:32 PM

    Thanks Rajib for the important info. God bless.

    Reply
  2. quick heal version 16.00(9.0.0.17),can detect the TeslaCrypt?

    Reply
  3. Thanks Rajib for informing about new virus

    Reply
  4. SUNDARAM BALAMarch 27, 2015 at 5:25 PM

    Thanks for the News.

    Reply
  5. Great work rajib

    Reply
  6. Thanx a ton , that’s why I subscribed to Quick Heal since its inception . Gr8 job .

    Reply
  7. VIJAY BABANRAO WAGHMarch 27, 2015 at 6:46 PM

    Thanks. This was an excellent and timely Alert from Quick Heal.

    Vijay.

    Reply
  8. rahmatullahMarch 27, 2015 at 7:23 PM

    thaks for information

    Reply
  9. i already have quick heal installed. do i still need to be scared about the teslacrypt???

    Reply
  10. thanks for the use full information.

    Reply
  11. Vimal KrishnanMarch 28, 2015 at 12:10 AM

    Thanks Rajib god bless

    Reply
  12. Debdarpan khanMarch 28, 2015 at 12:16 AM

    Hello Rajib,
    I have 2 computers.
    One has “Quick Heal Total Security 2012” version 13.00(6.0.0.4), license valid till 27 Jan 2017.
    The other one has “quickheal internet security” version 16.00(9.0.0.14), license valid till 07 May 2016.
    Can theyt prevent “TeslaCrypt” from infecting the computers
    with regards
    Debdarpan Khan

    Reply
  13. Thanks rajib you guys are awesome

    Reply
  14. rahul maskeMarch 28, 2015 at 11:23 AM

    i have deleted this malware to detected to my computer

    Reply
  15. ABHIMANYU KUMARMarch 28, 2015 at 11:35 AM

    THANKS FOR INFORM FOR NEW virus

    Reply
  16. RUBI KUMARIMarch 28, 2015 at 11:37 AM

    THANKS FOR INFORM NEW virus

    Reply
  17. prashil moonMarch 28, 2015 at 2:13 PM

    Quick Heal’s Behaviour Detection System also pro-actively detects malicious activity for the TeslaCrypt…

    Reply
  18. Sk AbdullaMarch 28, 2015 at 2:28 PM

    nice

    Reply
  19. Mukesh PrasadMarch 28, 2015 at 7:36 PM

    Thank you Rajib for the valuable information

    Reply
  20. bharat namdeoMarch 28, 2015 at 8:19 PM

    we are quckheel user our end date is nearest.so please three user quckheel discount rate and payment prosess send me

    bharat namdeo
    jabalpur MP india
    09425466762

    Reply
    • Hi Bharat,

      In order to renew your Quick Heal product, you will need to do so via the renew option once you open your Quick Heal product dashboard. If you need help to do this, please contact our support team on 0-927-22-33-000.

      Regards.

      Reply
  21. thank you for this important information about this
    new virus.

    Reply
  22. Saumik RoyMarch 29, 2015 at 1:09 AM

    I JUST WANT TO ASK ONE THING…. does quick heal internet security or quick heal total seucity code works in google play’s quick heal paid….. cause which i mentioned is easily available in market for buying….. oh antivirus code is also available…so will that work too….

    Reply
    • Hi Saumik,

      No the product key for Total Security or Internet Security does not work on the mobile product over Google Play. The product key for that needs to be purchased separately.

      Regards.

      Reply
  23. chander vermaMarch 29, 2015 at 7:07 AM

    when i got problems to use my laptop to access my web site then i purchase quickheal then i got complete solution and i am satisfied now

    Reply
  24. shashikant DhikaleMarch 29, 2015 at 11:18 AM

    Thanks for information

    Reply
  25. Thanks for the info! Sounds very scary though!

    Reply
  26. Hey Rajib!! I have lot of games in my PC or you can say I’m a Gamer. So, can you tell me what Tesla Crypt do? How does it asks Ransom and how does it affects one computer? Does it infects One’s PC by Internet or Virus?

    Regards,
    Ayush

    Reply
    • Hi Ayush,

      As mentioned in the post, TeslaCrypt spreads via spam emails. Once it gains entry into the targeted system, it starts looking for saved game files. Thereafter, the virus begins encrypting these files. It then displays a message, as shown in the post, wherein, it asks for a payment in Bitcoins.

      Regards,

      Reply
  27. bappa ghoshMarch 29, 2015 at 6:23 PM

    my quickheal not updatet.

    Reply
  28. Hacking tools and patch files are regarded as virus by Quick heal. What can i do thank you

    Reply
    • Hi Putta,

      Kindly share some more information about these tools and files that you are referring to. This will allow us to help you better.

      Regards.

      Reply
    • Hi what is hacking tools and patch file,i have installed tablet security but not satisfied this software dont have couple of features compared to total security and i am worried,Mr Rajib Sir will my quickheal tablet security software is enough powerful software and will it save my device from teslacrypt or ransomwares,adwar or malware in the future and please discuss in next discussion on this topics on what are the ways and how many numbers of options do any kind of viruses have for entering in our android devices without users knowledge and one more question for you Rajib Sir gamers are also on target but how secured are games for android on googleplay store do google scan all the new developer new games before recommending the games to google users in their games option on googleplay store after reading all these things i even stopped downloading games from google play store when i have already installed quickheal tablet security Rajib Sir i like playing games from google play store but if some games contains some kind of virus will my quickheal tablet security will detect it immediately within seconds of time and secured my device from any infections because i have some worst experiences of viruses when i installed few games from googleplay store that time i was using avast free antivirus on small tablet which is unfortunately now a unuseable corrupted os android device

      Reply
      • Hi Girish,

        As mentioned in the post, presently TeslaCrypt is only known to target the Windows platform (PCs) and not Android. Yes, Quick Heal Tablet Security protects your device from all types of malware designed to target Android users.

        Regards,

        Reply
  29. sunil rathoreMarch 30, 2015 at 7:32 PM

    its btr thn other al…

    Reply
  30. Krishnasish SarkarMarch 30, 2015 at 10:30 PM

    Do Quickheal v15.00 detect this ransomeware teslascrypt?

    Reply
  31. Manas Ranjan GhoshApril 1, 2015 at 10:28 AM

    THANKS FOR INFORMATION & WISHING BEST.

    Reply
  32. Hi Rajib Sir In case i finished my internet limit and i dont have internet for few hours but i had already installed few apps from googleplay store during which if i full scan my device using myquickheal tablet security software to detect any virus in my installed application will my quickheal tablet security will detect any virus in that installed apps from googleplay because i have no idea on how this software works without internet conection is it very necessary that there must be internet connection for scanning the device or my tablet security can be effective enough to detect any virus in installed apps including games from google play without internet conection for couple of hours and will my software repair or uninstall apps quickly without internet connection if some virus is detectd.Thankyou

    Reply
    • Hi Girish,

      Internet connection is necessary to receive security updates. But while you are installing any app, Quick Heal monitors it in real-time. If the app is malicious, Quick Heal will block it or warn you about the same. So, if this has not been the case, it means your installed apps are fine.

      Regards,

      Reply