.tedcrypt files virus
Ransomware | 08/09/2018

How to Remove .tedcrypt (Jigsaw) Files Virus?

About: .tedcrypt files virus is a new iteration of Jigsaw ransomware detected by malware researchers. This ransomware is distributed via spam email attachments and malevolent links. Once the system gets infected with this ransomware it encrypts system files...  Read More  

| Ransomware | How to Remove .tedcrypt (Jigsaw) Files Virus?

Guide to remove .tedcrypt files virus

.tedcrypt files virus is a new iteration of Jigsaw ransomware.

.tedcrypt files virus

Jigsaw, originally titled as “BitcoinBlackmailer” is a form of encryption ransomware was created in 2016. The ransomware was named Jigsaw based on the fact that the ransom note featured an image of of Billy the Puppet from the Saw film franchise. The malware is known to encrypt important user files which it deletes if the user fails to pay ransom to decrypt the files.

Unlike its other variants like Jigsaw ransomware, .tedcrypt files virus displays the image of a teddy bear on the screen of the victims instead of the killer from the movie “Saw” and displays a ransom note written in Turkish.

The ransom note declares that victims still have the chance to retrieve the files and threatens them to delete the files permanently if the ransom is not paid within 24 hours. The amount of ransom demanded by the cyber miscreants to receive the decryption key is not known yet.

The Ransom note also states that trying alternative methods to retrieve the files like Deleting the Software, Shutting down the Computer, Restarting, Hard Disk Format is not going to help. The only vaccination to retrieve the encrypted files is to have access to the decryption key.

.tedcrypt files virus

However victims are advised not to fall in the trap as even after paying the ransom the probability of receiving the decryption key is null.

Also there is good news for you. The code of Jigsaw ransomware has been successfully cracked by security researchers and free decryption tool has been released for some of its variants. The decryption key would be updated for the .tedcrypt variant too and soon you will be able to restore the encrypted files.

.tedcrypt Files Virus (Jigsaw) – Threat Behaviour

.tedcrypt Files Virus is configured to target specific system Registry keys to achieve persistent installation. These keys may be Run and RunOnce.

These registry keys are responsible to manage automatic execution of all the programs that are essential for smooth system performance. Hence, adding malicious scripts under these sub keys enables this ransomware to achieve persistence as values stored by Run and RunOnce keys determine which files will be automatically executed on system boot.

Once the infection is in the system it resides in the major system folders including:

  • %AppData%
  • %Temp%
  • %Roaming%
  • %Local%

.tedcrypt crypto virus is known to utilize AES Cypher Algorithm to encrypt the files. The encrypted files are marked with .tedcrypt extension.

The files that this Jigsaw variant targets include:

.7zip, .txt,.asp, .cs, .java, .csv, .dat, .db, .doc, .docx, .dot, .gif, .jar, .jpeg, .jpg, .max, .mp3, .mp4, .mpeg, .msg, .pdf, .php, .png, .potm, .ppt, .rar, .sql, .xls, .xlsx, .xml,.zip and much more.

Hence all the valuable files are encrypted including:

  • Audio files
  • Video files
  • Image files
  • Backup files
  • Document files
  • Banking credentials, etc

.tedcrypt Files Virus (Jigsaw) – Spread Techniques

The ransomware is distributed via various ways, one of the most common spread technique being spam email attachemts. In order to evade detection, the virus is coded to obfuscate from antivirus or any other protection software installed in the system.

The techniques used by cyber miscreants to spread the ransomware include:

Downloading spam email attachments or clicking on suspicious hyperlinks: This is the most prevalent distribution technique. In this malicious campaign cyber crooks attach malicious files in spam emails and in order to make users download it, the email is masqueraded to be legitimate delivered by popular brands, governmental institutions, private services, etc. that appear important and demand urgency such as:

  • Online Banking documents
  • Receipts
  • Invoices

In addition the email may contain a disguised hyperlink, click on which may direct user to malicious website and lead to the installation of .tedcrypt files virus. 

Threat Summary

Name: .tedcrypt files virus 

Browsers Affected: Google Chrome, Internet Explorer, Mozilla Firefox

Targeted Operating System: Windows

Category: Ransomware

Symptoms: User’s files are encrypted via AES Cypher Algorithm. All locked files are appended with “.tedcrypt” extension after the encryption and hence cannot be accessed by the user.

How to protect the system against .tedcrypt crypto virus?

Step A:  Reboot your system to Safe Mode with Networking

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

Restore your system files and settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of .tedcrypt files virus. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by .tedcrypt files virus.

Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of .tedcrypt files virus. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by .tedcrypt files virus.

Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

Step B:  Restart System using Safe mode with Command Prompt

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click Restart.
  3. When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password.

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete .tedcrypt files virus” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

Step C – Protect your system with Windows Defender

Windows 7

  1. Click on the Windows icon present in the bottom left corner of the task bar to open up the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ dropdown at the top right corner of the dialog box and Select the Large Icons
  4. Click on the Windows Defender icon. This will open the windows defender dialog box.
  5. Click on ‘Check for updates now’ button. It will check for Updated definitions before scanning the system.
  6. Once the Defender is updated click on Scan Now button.
  7. This will take some time to scan the system for threats.
  8. Once the scanning is complete and no threats are found you will be notified with a message ‘No unwanted or harmful software detected’ in a Green Bar.
  9. If threats are found, you are recommended to use an antivirus to keep your system risk free.

Windows 10

  1. Click on the Search Box and type “Defender” (you can also press Windows key + Q to bring up the search bar needed. This shortcut will launch the search function on your system). Windows Defender Settings should appear in the results list. Click on it to launch the program. 
  2. In the Defender window click on Open Windows Defender Security Center button. This will launch  Windows Defender Security Center window.
  3. Click on Virus & Threat Protection icon, from the Windows Defender Security Center window.
  4. In the Virus and Threat Window that appears click on Quick scan button. This will scan the  system for Virus and other threats.
  5. System scan will take some time. Once the scanning is complete and no threats are found you will be notified with a message pop up at the bottom right corner of the window, ‘No threats were found’.
  6. If threats are found, you are recommended to use an antivirus to keep your system risk free

Step C: Update your System Software

Windows 7

  1. Click on the Windows icon present in the bottom left corner of the task bar to open up the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel dialog box.
  3. In the Control Panel dialog box click on the ‘View by:’ dropdown at the top right corner of the dialog box and Select the Large Icons
  4. Click on”Windows Update” link.
  5. After Windows Update opens, click “Check for Updates” button.
  6. Once Windows finishes checking for updates, click the “Install now” button.
  7. When the updates have finished installing, restart your computer (if prompted).

Windows 10

  1.  Click on the Search Box and type “Update” (you can also press Windows key + Q to bring up the search bar needed. This shortcut will launch the search function on your system). Windows Update Settings should appear in the results list. Click on it to launch the program.       
  2. Check for the Update Status. If Windows Update says your device is up to date, you have all the updates that are currently available. For more info about updates, click on View installed update history.
  3. Once the system software are updated click on Restart Now button to install the Updated software.

Tips to prevent your computer system from getting infected –

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Sophos and Vipre so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

 

Hits: 292

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866