{"id":17418,"date":"2015-03-12T15:26:40","date_gmt":"2015-03-12T21:26:40","guid":{"rendered":"https://www.webroot.com/blog/?p=17418"},"modified":"2018-01-30T13:15:10","modified_gmt":"2018-01-30T20:15:10","slug":"teslacrypt-encrypting-ransomware-that-now-grabs-your-games","status":"publish","type":"post","link":"https://www.webroot.com/blog/2015\/03\/12\/teslacrypt-encrypting-ransomware-that-now-grabs-your-games\/","title":{"rendered":"TeslaCrypt &#8211; Encrypting ransomware that now grabs your games"},"content":{"rendered":"<p>The encrypting ransomware business model is hugely successful and isn&#8217;t going away\u00a0any time soon (possibly ever). This latest variant not only encrypts\u00a0the normal scope of valued files, but it now\u00a0encrypts\u00a0files required for your games &#8211; saves, mods, and profiles (like Day Z). It even even encrypts\u00a0game software components from the like of Valve, Bethesda, Unreal engine, and RPG Maker. This means many of the major games that users play will be rendered useless unless they pay the ransom if hit by the malware. For a full list of the scope of files encrypted see <a href=\"http:\/\/pastebin.com\/F3DkKCet\">here<\/a>.<\/p>\n<p>Here is what the GUI looks like<\/p>\n<div id=\"attachment_17419\" style=\"width: 310px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/gui.png\"><img aria-describedby=\"caption-attachment-17419\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-17419\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/gui-300x300.png\" alt=\"The last thing anyone wants to see\" width=\"300\" height=\"300\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/gui-300x300.png 300w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/gui-150x150.png 150w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/gui-1024x1024.png 1024w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-17419\" class=\"wp-caption-text\">The last thing anyone wants to see<\/p><\/div>\n<p>Notice how it says &#8220;CryptoLocker-V3&#8221; on the window and has a uncanny resemblance. However, this is very different from the original cryptolocker so don&#8217;t be fooled. Tools like decryptolocker.com are <strong>NOT<\/strong> going to work on this variant. It also mentions <em>&#8220;Click to Free Decryption on site&#8221;. W<\/em>hen we\u00a0first saw this we\u00a0thought maybe it offered a free decryption similar to what we\u00a0observed on an <a href=\"https://www.webroot.com/blog/2014\/11\/14\/coinvault\/\">older ransomware variant<\/a>, but it&#8217;s just a lie. Here is what you are presented with when you go to the decryption site and enter the bitcoin address it assigns you.<\/p>\n<div id=\"attachment_17420\" style=\"width: 310px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/payment-page.png\"><img aria-describedby=\"caption-attachment-17420\" decoding=\"async\" loading=\"lazy\" class=\"size-medium wp-image-17420\" src=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/payment-page-300x300.png\" alt=\"That's a lot of money...\" width=\"300\" height=\"300\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/payment-page-300x300.png 300w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/payment-page-150x150.png 150w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2015\/03\/payment-page-1024x1024.png 1024w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-17420\" class=\"wp-caption-text\">That&#8217;s a lot of money&#8230;<\/p><\/div>\n<p>Bitcoin is the preferred method of payment as it is a untraceable secure method of receiving payment from you so they give you a better price of only $415. If you wish to use payment systems like PayPal My Cash Card, then the price increases to $1000 (this is because they lose a percentage through the middleman). The choice is very clear that they want the hefty discount to sway you into using bitcoin as payment.<\/p>\n<p>Webroot will catch this specific variant in real time and heuristically before any encryption takes place. We\u2019re always on the look out for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our <a href=\"https:\/\/community.webroot.com\/t5\/Webroot-Education\/Best-practices-for-securing-your-environment-against\/ta-p\/191172\">community post <\/a>on best practices for securing your environment against encrypting ransomware<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The encrypting ransomware business model is hugely successful and isn&#8217;t going away\u00a0any time soon (possibly ever). This latest variant not only encrypts\u00a0the normal scope of valued files, but it now\u00a0encrypts\u00a0files required for your games &#8211; saves, mods, and profiles (like Day Z). It even even encrypts\u00a0game software components from the like of Valve, Bethesda, Unreal [&hellip;]<\/p>\n","protected":false},"author":21,"featured_media":17419,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4263,14215,18645,5443,5435,18643,3483,5297,18641,4389,11225,8223,5797,3937,18647,8015,3777,3471,5439,3525],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17418"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=17418"}],"version-history":[{"count":4,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17418\/revisions"}],"predecessor-version":[{"id":17592,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/17418\/revisions\/17592"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17419"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=17418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=17418"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=17418"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=17418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}