02/02/2016
16:10

TeslaCrypt 3.0 strikes back → DO NOT OPEN THOSE EMAILS - Learn how to protect your data with Vir.IT eXplorer PRO


Vir.IT eXplorer PRO's Anti-Crypto Malware technologies can save up to 99.63% of files

As of 2nd February 2016, TeslaCrypt 3.0 attack is still going on. A huge amount of emails containing the malware has been delievered; these emails bear these subjects:
  • Sender's name;
  • Date and hour;
  • Hi.
The body contains various blank lines, the last one quotes date and hour. There is also an attachment, a .zip file, its name being 3 random characters; inside, there is a javascript file, its name being similar to the following:
  • invoice_SCAN_qH7le.js;
  • invoice_copy_StXQDm.js;
  • invoice_GavJVj.js;
Screenshot of a mail that carries the TeslaCrypt 3.0
Click here to show the picture fullscreen
TeslaCrypt 3.0 was first recorded on 25th January; then, between 30th and 31st January, a huge number of users were sent a mail like the one described above, and considering this email reliable they opened and executed the attachmen - then hell broke loose.

The ransom demanded by TeslaCrypt 3.0

TeslaCrypt 3.0 demands a ransom to have data decrypted - the equivalent of 500 USD in BitCoin for every key. This means that if the user reboots the computer n times, files are going to be encrypted with n+1 different keys, so the amount of money that will have to be paid to have all files decrypted will be 500*(n+1). For exapmple: 2 reboots, 3 keys → 3*500 = 1'500 USD in BTC.

How to stay safe from TeslaCrypt 3.0

One should never forget that links and email attachments could hide viruses/malwares. This rule applies to emails coming from unknown addresses, but also to apparently familiar ones from which an email with attachment (such as an invoice) was not expected. Vir.IT eXplorer PRO users have a great chance to save all their data from encryption!

It was stated in our previous bulletins that Vir.IT eXplorer PRO's Anti-CryptoMalware module was able to stop these attacks saving up to 99.63% of files, allowing a complete recovery of encrypted files thanks to backup technologies, namely:
  • On-The-Fly Backup;
  • Vir.IT BackUp.

This only occurs if Vir.IT eXplorer PRO is:

  • correctly INSTALLED;
  • UP-TO-DATE;
  • properly CONFIGURED - Anti-Crypto Malware technology has to be active in the Settings tab of Vir.IT Security Monitor (it is active by default); plus Vir.IT BackUp has to be configured and running.


Starting with version 8.0.98, Vir.IT eXplorer PRO can "snatch" TeslaCrypt 3.0 encryption key on-the-fly in the early stages of the attack, thus making a decryption feasible - it can be done with the assistance from TG Soft's tech support.

Remember - every time the malware is executed, a new encryption key is used. This means that every time the computer is rebooted and the malware is still active, TeslaCrypt will use a different key (n reboots → n+1 different keys).

How to contain damage

Since a new key is created every time the malware is executed - which only happens when the computer is rebooted - the computer should always stay turned on, in order to have the minimun number of keys possible, and qualified tech support (such as TG Soft's) should be contacted immediately.

When the Alert shown in the picture pops up on the screen, Vir.IT eXplorer PRO's Anti-CryptoMalware module has come into action, halting the malware. Do not panic and perform these operations:

  1. Make sure that Vir.IT eXplorer PRO is UP-TO-DATE;
  2. UNPLUG EVERY NETWORK CABLE - by doing this, the computer will be phisically isolated from the network, thus containing the attack to just one machine.
  3. PERFORM a FULL SCAN using Vir.IT eXplorer PRO.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.


  5. In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com,
    or call our hotlines:
    • +39 049 631748
    • +39 049 632750
    Mon-Fri 8:30-12:30 and 14:30-18:30.

 

Anti-Crypto Malware protection screenshot
Click to show the picture fullscreen
 

99,63%*

Mean percentage of files protected from encryption thanks to Vir.IT eXplorer PRO ==>

Can .micro encrypted files be decrypted?

Yes, if Vir.IT eXplorer PRO was correctly set up before the attack and it snatched encryption keys.

Final thoughts

Please remain calm and be patient. This is a very widespread emergency - many people were tricked into opening the email by the familiar-looking sender address.



TG Soft
Public Relations

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: