For the last few days the aspiring-to-become-infamous TeslaCrypt malware has reportedly been on the loose again. Its brand-new version, freshly updated to ensure the infliction of irreversible damage, is commonly referred to as vvv File Extension Ransomware because of the new format the computer contaminant converts victims’ files to. Although else essentially quite identical to its previous appearances, vvv File Extension Ransomware is the most malevolent of all as it is for now unfortunately impossible to decrypt the data it has locked without paying the ransom.
What Is vvv File Extension Ransomware?
vvv File Extension Ransomware is the newest release of TeslaCrypt – a ransomware application which gamers especially despise for it gained publicity as the first ever crypto malware to particularly attack gaming-related data. To players’ distress, the malware whose previous versions hijacked files associated with Diablo, Skyrim, Half Life 2, Assassin’s Creed, League of Legends, and World of Warcraft, has now added Fallout 4 saves to the list of its targets.
In terms of functionality and intrusion methods, the offensive program hasn’t changed much. Using hacking tools and social engineering techniques, the ransomware installs surreptitiously and remains unnoticed until its malicious work is done. Its first task is to search all system drives, including removable and network-shared ones, for a wide range of file types (such as office documents, pictures, videos, etc.) and encrypt them with the vvv File Extension, thus rendering them unusable. Having accomplished this, the ransomware launches an html page which makes users’ aware that their valuable data has been locked and can only ever be recovered if they pay a ransom fee of $500. Typically for such online extortion schemes, the amount must be paid in Bitcoins, using a TOR website (this is done so that cybercriminals cannot be tracked down).
How Is vvv File Extension Ransomware Distributed?
Similarly to other Crypto Ransomware family representatives, vvv File Extension Ransomware usually resorts to a couple of underhanded distribution methods which make it possible for the malicious program to stealthily infiltrate and compromise target computers worldwide.
Spam E-mail Campaigns
Spam e-mail campaigns have always been one of cybercriminals’ most widely and effectively used system-penetration methods, therefore it is not surprising vvv File Extension Ransomware is mainly spread across the Internet exactly in this way. Countless users around the Globe are bombarded with e-mails (using botnets and mailing lists bought on Darknet illegal markets) which are textually and graphically misleadingly designed in an – often successful – attempt to pose as parcel delivery companies, utility services providers, banks or any other broadly trusted institution. The unsolicited e-mails either feature a seemingly innocuous file attachment, or (because nowadays electronic post operators in most cases directly block malicious binaries) a hyperlink to a website which host an explot kit.
Drive-by Download
vvv File Extension Ransomware’s other main propagation vector are so called “drive-by” downloads. Such an attack usually takes places when a user is tricked, typically by means of social engineering such as spam e-mails, deceptive malvertisements and paid traffic delivery services, onto a compromised or maliciously designed website provided with an exploit kit. The exploit kit, which is a hacking tool created to identify and take advantage of client-side software vulnerabilities, searches the victim’s system for flaws in the code of Mozilla Firefox, Google Chrome and Internet Explorer, different browsers add-ons as well as other locally installed programs, and runs a nefarious script which installs the malware. Presently, vvv File Extension Ransomware is known to particularly prefer three infamously malicious exploit kits: Angler Exploit Kit, Sweet Orange and Nuclear.
What Does vvv File Extension Ransomware Exactly Do?
Vvv File Extension Ransomware victims are typically left completely unaware of the malware’s presence until it has done the harm it is purposed to. Upon installation, which happens completely silently, TeslaCrypt creates and randomly names a file which begin to scan all system’s storage devices together with removable drives (such as USB sticks) and shared network resources for a selection of file formats to encrypt. The malware encodes valuable personal data such as office documents and presentations, business-related and scientific projects, videos and pictures, etc., appending them with the vvv file extension (the malicious program doesn’t tamper with system-important files since it needs to be fully functional so that the victim can proceed the ransom payment). Furthermore, the offensive program deletes local Shadow Copies by executing a “vssadmin delete shadows /all “ command, so that locked files cannot be restored from computer volume snapshots.s
After having encrypted user’s personal documents with the vvv file extension, the malware prompts an html page which informs the victim their data has been locked, showing an index of all hijacked files. The ransom page features instructions on how to install the TOR browser and visit a Darknet websites where to pay in Bitcoins what approximately equals $500. Additionally, to ascertain users their money won’t go down the drain, the TeslaCrypt allows them to unlock one single file for free, as a proof.
How To Restore vvv File Extension Encrypted Data
Since vvv File Extension Ransomware uses an elaborate encryption method, files locked by it can only be decoded by its operators. If you are affected by the malware, this is what you can try:
Volume Shadow Copy Service
Windows features a so called Volume Shadow Copy service , which you can try using to restore your files. Although vvv File Extension Ransomware is designed to delete all Shadow Copies, it is known to not always effectively achieve that. Therefore it is worth attempting following:
(note: in order to restore from Shadow Copies you must have previously enabled System Protection in Windows)
In order to restore previous (uninfected) version of a locked file, please open Windows Explorer by right-clicking the Windows button, and navigate to the desired file. Right-click the file, open “Properties” and then hit the “Previous Versions” tab. If vvv File Extension ransomware hasn’t managed to delete the shadow copy, you will be presented with a selection of previous versions of the file. Choose a version you wish to restore you file to, and then, after making sure it is the one you really want by opening it, click “restore”.
Windows Backup
If have been prudent enough to make back-up image of your Windows, you can use the System Restore function to retrieve your files. In order to do that, please navigate to the Control Panel, then access “Backup and Restore”, click “Restore my files” and follow the steps of the restoration wizard.
Data Recovery Software
vvv File Extension Ransomware doesn’t overwrite your original files with their encrypted version, but first makes a copy of each file, encodes it, and then deletes the original. This means, using Data Recovery software might turn out to be an feasible way of restoring at least some of your lost data.
Paying The Ransom
If none of the above listed works out for you, and the files which TeslaCrypt has encrypted with the vvv File Extension are of great importance to you, paying the ransom is ultimately your last resort. Needless to mention, digital extortion should generally not be stimulated, besides, there is absolutely no guarantee cybercriminals will unlock your files even if you pay the fee.
