Encrypting ransomware is a particularly nasty type of malware, as once you are affected by it, there are very few ways to get your files back to the way they should be. The TeslaCrypt ransomware is currently being used in an aggressive spam-email campaign, and while there's nothing you can do to keep such messages out of your inbox, there are plenty of ways you can prevent TeslaCrypt from winding up on your hard drive.
Mountain View, California-based security firm Symantec warned about the dangers of the latest TeslaCrypt campaign in its official Security Response blog yesterday (Dec. 14). Although the ransomware has been detected in some form or other since March, it was fairly quiet until early December, when Symantec security programs detected approximately 1,800 attempted installations across multiple users' computers.
Here's how the current TeslaCrypt campaign works: The malware comes attached to an e-mail message bearing a fairly innocuous subject line, such as "Would you be so kind as to tell me if the items listed in the invoice are correct?" or "Please accept our congratulations on a successful purchase and best wishes." (Symantec calls this "social engineering," but one would have to be pretty credulous to treat such a vague, oddly worded headline without a modicum of suspicion.)
Once opened, the package installs TeslaCrypt which, like most encrypting ransomware, proceeds to start locking you out of your files by changing them into strongly encrypted files bearing odd format suffixes such as .VVV or .CCC. As the encryption keys change with each victim, there is no cure-all once the ransomware is installed; to regain the files, you'll have to cough up $500 to cybercriminals. (Most do make good on their ends of the bargain.)
Symantec did not hazard a guess as to who might be behind this TeslaCrypt campaign, since the malware is widely licensed to attackers who want to bundle it in with botnets or browser exploit kits. The attacks have also fallen off considerably since early December, although it is not impossible that they will surge again.
To avoid being infected by TeslaCrypt, there are several simple steps you can take. First, don't open any email attachments you're not expecting — even from people you know. When in doubt, call the sender to confirm he or she sent it.
Second, install and run robust antivirus software. Most forms of encrypting ransomware constantly change their code to evade basic methods of malware detection, and cheaper antivirus programs may not be able to detect shape-shifting software. (Two products we recently reviewed, Bitdefender Internet Security and Trend Micro Internet Security, also have built-in defenses against encrypting ransomware.)
Third, back up your hard drive periodically — at least once a week, and preferably once a day. Make sure the backup software keeps journaled versions of files, so that you can fall back to them if files encrypted by ransomware are backed up as well.
If you've already been infected with TeslaCrypt, there's not much you can do. Salvage any unlocked files, try to roll back your system to an earlier version (and if that fails, then wipe and restore your system), and try not to fall for a similar scam in the future.