One fateful morning, our client woke their office computer from sleep and noticed something odd. All (or most) of their files were being treated like audio files, specifically .mp3 files. This client is using Windows 7, running Norton Internet Security, and does not keep a regular backup (vulnerable operating system, inadequate anti-virus, and no disaster recovery plan).
Every file contained within the Documents folder, for instance, was now treated as an audio file. Double clicking that file would instruct Windows to open up whatever program is suitable for playing music, probably Windows Media Player or iTunes. Because the file was formerly a .Docx Word document, there’s no music to play, resulting in an error or a “corrupted” document. The same thing happens, more or less, for pictures and all other personal data. Everything is now treated as an .mp3 audio file. Changing the extension back to its original – returning a Word document back to .Docx, for instance – does not restore functionality. This was all a ruse; the data within the file, not just its extension, was changed.
So what happened? TeslaCrypt.
TeslaCrypt is ransomware, in the spirit of Cryptowall and Cryptolocker, and infects machines in the same way. At some point, the computer user visited or was directed – maybe only momentarily – to a suspicious website. This website, using an exploit kit, was able to scan the computer for any vulnerability it can use to deliver its payload. Typically, exploits of this sort target weaknesses in the internet browser (Internet Explorer, Chrome, or Fire Fox) or browser extensions (Adobe Flash, Java, etc), tricking the program into downloading the malware’s payload. In this case, that payload was used to execute TeslaCrypt. We call this a drive-by attack. Once installed, TeslaCrypt will delete your Volume Shadow Copies, then gradually encrypt all user data. Encryption is onerous work, causing computer performance issues throughout this process. Eventually, TeslaCrypt will report that all of your data is encrypted and, in order to decrypt anything, you will need to send some amount of money to a location of their choosing (usually via BitCoin).
In addition to browser drive-by attacks, malware and TeslaCrypt spread through suspicious email attachments. As always, only open attachments from senders you recognize. If there is an attachment, be suspicious, even if it appears to have come from a legitimate company. Amazon, FedEx, UPS, and your bank will never send emails with attachments. These ploys are commonly phishing scams or ways to infect computers with powerful malware.
What do I do now?
First, disconnect your computer from your office network. Turn off wifi and unplug the ethernet. If you have a backup handy, retrieve it – but do not plug it in. Ransomware can easily infect attached drives or networked devices.
Unlike other ransomware, there is a small chance that your files can be decrypted. Network security wizards at Cisco have designed a command-line only decryption tool for TeslaCrypt.
If decryption proves fruitless, the next step is recovery. The computer’s hard drive(s) must be fully erased and restored, either from a clean backup, or a from-scratch install of Windows.
Because ransomware like Cryptowall and TeslaCrypt can so easily infect attached computers, drives, or networked devices, we strongly recommend calling Poindexter for your computer repair needs. Ransomware can be devastating – Poindexter promises to make the catastrophe as pain free as possible. Whether its a professional cleaning and restore of your system or, if possible, a careful decryption of your files, Poindexter is Baltimore’s best option for every kind of computer repair. Schedule your solution today!