TeslaCrypt ransomware joins the fee-for-file-recovery trend

May 22, 2015

The Dell Sonicwall Threats Research team has received reports of a new file encrypting ransomware called TeslaCrypt. Like other file encrypting ransomware such as Cryptolocker and Cryptowall this trojan holds files ransom for a fee. Communication to the C&C/key server is encrypted and takes place over the tor network. Bitcoin is used as the currency of choice in making payments for file recovery and aids in making it difficult for authorities to trace operators. Ransomware of this nature has proven to be a very effective and lucrative business model. It is a trend that we expect to continue throughout 2015.

Infection cycle:

Upon infection the Trojan displays the following text on the desktop background:

It also displays the following dialog in the foreground:

The Trojan makes the following DNS queries:


The Trojan adds the following files to the filesystem:

  • %APPDATA%key.dat
  • %APPDATA%log.html
  • %APPDATA%nvpdpcv.exe [Detected as GAV: TeslaCrypt.A_6 (Trojan)]
  • %USERPROFILE%DesktopCryptoLocker.lnk (link to nvpdpcv.exe)

The Trojan adds the following keys to the windows registry to enable startup after reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svv_e "%APPDATA%nvpdpcv.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce *svv_e "%APPDATA%nvpdpcv.exe"

It issues the following command to clean up after infection:

      "%WINDIR%system32cmd.exe" /c del {run location}nvpdpcv.exe >> NUL

It also issues the following command to delete any volume shadow copies on the system:

      "%WINDIR%system32vssadmin.exe" delete shadows /all /Quiet

The Trojan appears to be inspired by Cryptolocker. CryptoLocker.lnk uses the following icon:

key.dat contains the following data which includes the bitcoin address to send funds to:

Files on the system and any attached shares are encrypted with the RSA-2048 algorithm as stated in the displayed splash screen. log.html contains a list of all the files that were encrypted:

The Trojan contacts ipinfo.io in order to obtain the public IP of the infected machine:

The Trojan was observed sending encrypted information over the tor network to a remote C&C/key server:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: TeslaCrypt.A (Trojan)
  • GAV: TeslaCrypt.A_2 (Trojan)
  • GAV: TeslaCrypt.A_3 (Trojan)
  • GAV: TeslaCrypt.A_4 (Trojan)
  • GAV: TeslaCrypt.A_5 (Trojan)
  • GAV: TeslaCrypt.A_6 (Trojan)