Martijn Lammerts
My own digital place with a little of everything

MSRT October 2015: Tescrypt

13 October 2015

October’s Microsoft Malicious Software Removal Tool (MSRT) includes detection and remediation for the following families:

This blog focuses on the ransomware family Tescrypt.

Tescrypt started showing up early in 2015 and, like most of its file-encrypting predecessors, it does what most typical ransomware does:

  1. Searches for specific file types on the infected machine (see our encyclopedia description for a list of known file extensions it targets)
  2. Encrypts the files with AES 256 hash encryption
  3. Demands payment from the PC’s user in exchange for a key or code that will decrypt the files

It uses the same encryption method to communicate with its command and control server to generate a personalized TOR payment webpage for the infected machine. Earlier variants stored the private key as a file on the machine itself – Cisco/Talos created the Talos TeslaCrypt Decryption Tool tool that enables affected users to decrypt their files with the locally stored private key.

Recent variants, however, store the key in the registry as binary data.

The main callout that separates this from other ransomware threats is in the types or context of the files it targets for encryption: files related to PC games and financial or tax software in additional to other files more commonly encrypted by ransomware. The following is a list of extensions we’ve seen this threat use in relation to specific programs:

  • .arch00
  • .d3dbsp
  • .dayzprofile
  • .ibank
  • .mcgame​
  • .qdf –
  • .rofl
  • .sav
  • .t12/ .t13
  • .tax
  • .vfs0
  • .vpp_pc
  • .w3x


We saw a large spike in the number of detections for Tescrypt in late August 2015 (see Figure 1). Prior to August, infections were steady but low; after the spike, detections spiked and fell but overall have remained higher than before that first peak in late August.

Figure 1: Tescrypt encounters since August 2015

Globally, the United States remains the most infected, taking over a full third of the distribution. The chart in Figure 2 shows the distribution share of Tescrypt in September 2015; countries with less than a 1.0% share are grouped together.

Figure 2: Countries most affected by Tescrypt infections

This malware usually arrives as a payload of exploit kits. It can also be downloaded by other malware. The exploit kits we’ve seen distributing Tescrypt include:

Tescrypt has used the alias “Tesla Crypt” (and “Alpha Crypt” in earlier variants, see Figure 3), and in some cases mimics other ransomware families such as Crilock and Crowti by displaying similar screen prompts (see Figures 4 and 5).

Figure 3: Alpha Crypt

Figure 4: Example of Tescrypt that mimics Crilock

Figure 5: Example of Tescrypt that mimics Crowti

More information about this malware’s behavior can be found in our encyclopedia entry Win32/Tescrypt, and information about ransomware in general on our ransomware page.

Prevention and remediation

Our general ransomware recommendations apply for Tescrypt.

The best defense against ransomware is pre-defense: make sure you have important documents, files, and databases securely backed up in disconnected or remote storage. This can be as simple as a flash drive or a removable hard disk that you save files to once a week and then disconnect from your PC.

If you are infected, Microsoft recommends you don’t pay the fine. There is no guarantee that paying the ransom will give you access to your files. Paying extortion money such as a ransom might only encourage cybercrime to be financially successful​.

However, if you’ve already paid, see our ransomware page for help on what to do now.

You might be able to use the Talos TeslaCrypt Decryption Tool to recover your encrypted files. However, Microsoft makes no representations or warranties that the tool will recover your files.

Microsoft’s general antimalware remediation instructions also apply.

Run antivirus or antimalware software

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting

To restore your PC, you might need to download and run Windows Defender Offline. See our advanced troubleshooting page for more help.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Adding a prevalent ransomware like Tescrypt, along with adding other malware, helps widen our coverage in protecting and remediating PCs that regularly run and apply the monthly MSRT update.

The MSRT update is delivered automatically by default to PCs running Windows Vista and later. You can also manually download and run the tool at any time by visiting the Malicious Software Removal Tool page at the Microsoft Safety & Security Center.