FANDOM


Not to be confused with TeslaCrypt.

TeslaWare is a ransomware that runs on Microsoft Windows. It was discovered by xXToffeeXx. It is aimed at English-speaking users. It is named after the American automotive and energy company Tesla.

Behavior

TeslaWare is a complete mess, ineffecient, and horribly slow.

Payload

Transmission

TeslaWare is currently being promoted and sold through black hat/criminal sites for 35 to 70 Euros depending on the customizations the buyer want in the ransomware. Posted in a black hat forum, the developer is marketing TeslaWare using a very nicely designed poster that combines the Tesla car logo, a network operations center, and specifications for the ransomware. It provides most of the info a potential buyer would need.

According to the poster, TeslaWare can be purchased at the following price points based on the features a buyer wants to customize:

  • 35€ Custom BTC
  • 40€ Custom BTC & Text
  • 50€ Custom BTC, Text, Timer, & Pass
  • 70€ All above with custom GUI

The poster also lists the following TeslaWare features:

  • AES 256 Bit Encryption
  • Counter
  • Instructions
  • Decrypt Files
  • Can't be Decrypted With AV Tools
  • 100% FUD
  • Change Wallpaper

While, most of the listed features are accurate, the ransomware is not FUD and can be decrypted for free.

Infection

When started, TeslaWare will encrypt files using AES-256 encryption and target numerous drive letters and folders. Unlike most ransomware that target specific file extensions, TeslaWare will instead encrypt everything but those files that end with .Tesla, .lnk, .exe, .dll, and .sys.

When encrypting a file, TeslaCrypt will append the .Tesla extension to the encrypted files. This means that a unencrypted file called test.jpg would be encrypted and renamed as test.jpg.Tesla.

When it is done encrypting files, the TeslaWare ransom screen will be displayed. The ransom screen saids the following:

All of your important files have been encrypted. To decrypt them you need to obtain the private key from us. We are the only who can provide 
you the key, so don't try to recover the files by yourself, it will only make the situation worse for you. 

To get this key you have to send 100 $ worth of bitcoins to the address that you can see in the left. For 
more info please check the links.

After payment, please paste the TX ID and press "Check". If our system detected the payment as 
succesfull, your files will be decrypted and you will use your pc as nothing happened.

This lock screen will contain two timers. The first timer, which depicts revolver cylinder, is a 59 minute countdown for the Russian Roulette "feature" of TeslaWare. When this countdown hits 0, TeslaWare will delete 10 random files from the victim's desktop or subfolders.

The second timer, showing the the skull, is for 72 hours and when it reaches 0, TeslaWare will delete all of the files on the C: drive.

Finally, TeslaWare will attempt to download and set the victim's desktop wallpaper to a picture of Nikola Tesla.

Nikola

The wallpaper

Included in TeslaWare are two unused functions that could increase the damage potential of the ransomware. The first function allows the developer to create a new network share on the victim's computer. While, this does not have any readily apparent usefulness, it could be used to gain further access to a victim's computer if they are connected directly to the Internet without a firewall protecting them.

The other function is to have TeslaWare spread to open network shares on other computer. This function, called NSpread, will copy the executable to network shares and then create .pif files called runme.pif or start.pif in these shares. If a user on the remote computer executes these files, then TeslaWare would be installed on those computers as well.

Media

TeslaWare Ransomware extension .Tesla - Demonstration of attack video review

TeslaWare Ransomware extension .Tesla - Demonstration of attack video review.

Community content is available under CC-BY-SA unless otherwise noted.