• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs

Kudos1 Stats

Massive Ransomware Campaign Using TeslaCrypt Discovered

It has been discovered that attack groups behind the ransomware known as TeslaCrypt (Trojan.Cryptolocker.N) have ramped up activity in the past two weeks, sending out massive volumes of spam emails containing the hidden malware. TeslaCrypt uses strong encryption to encrypt a wide range of files on the victim’s computer, then demanding a ransom from their victim in order to get their files back. Its creators have continually tweaked the malware and the strategy used to distribute it to help it hide from antivirus detection, therefore making it one of more dangerous threats currently in circulation. A telltale sign of the malware is that each spam email contains an attachment with a file name using common words such as “invoice”, “doc” or “info” in addition to random characters. The attachment may have a file extension of .zip or may have no file extension at all.

Much of the current campaign of TeslaCrypt attacks involve spam emails using a range of social engineering techniques to lure the user into opening them. Examples of the subject lines used in these emails include:
Would you be so kind as to tell me if the items listed in the invoice are correct?
Please accept our congratulations on a successful purchase and best wishes.
Would you be nice enough to provide us with a wire transfer confirmation.

Once the attachment is opened, it will download and install the ransomware on their computer. The ransomware will then encrypt the user’s files and then create two files on the computer, which both contain instructions on how to pay the ransom and receive a decryption key. 

TeslaCrypt is malware that can be purchased on the underground black market. Attack groups pay TeslaCrypt’s authors for use of the malware and possibly also for access to various distribution channels, such as spam botnets or exploit kits. Because of this, it is difficult to identify any one perpetrator responsible.

However, Symantec’s findings show that one group in particular is behind most of the recent spike in TeslaCrypt activity and it appears to be using spam email as its main distribution method.


Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and users should be on their guard. Norton Security protects against TeslaCrypt.

In addition to the protection Norton offers, there are still some extra practices users can take to stay protected from this threat:

  • Keep Internet security software regularly updated. Norton is always up-to-date, other solutions may not be, so be sure to check if your solution is updated.
  • Keep your operating systems and software up-to-date with the latest patches.
  • Use caution when opening emails from unfamiliar sources especially with attachments or links. Do not click on unsolicited web links in email messages or submit any information to webpages in links.
  • Users should also regularly back up any files stored on their computers. Once backed up, be sure to keep the backup device unplugged from the computer, as it is still susceptible to infection if connected. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer.

Further reading

If you would like to find out more about the threat posed by ransomware, you can read our whitepaper: The Evolution of Ransomware as well as Norton support’s self-help page for ransomware

Labels: threat intel



Would having Norton prevent or asking permission of all programs from encrypting files be a way to help slow the Trojan software from gaining control? Ransomware or file-encrypting Trojans seem to be a growing security problem. Backing up is great but we should have been doing that for multiple reasons for years.


Even my backups were hit, had I been at the PC I could have stopped the corruption but I'd been called away & forgot to turn it off. I use MS Office Outlook which has never got on with Norton's Anti-Spam plugin, never thought it of any importance until now! I definitely won't be renewing after this. Thank heaven I took the MacBook apart last month to install more RAM & never actually got around to it...?

All my vital items on OneDrive (corrupted too) are still locked away safe & sound in there

Kudos2 Stats

Norton Antivirus doesn't seem to detect the following ransomware and viruses. I have been seeing massive spam in the last two weeks with malware attached. Norton AV doesn't react. Luckely I am careful and a trial with Bitdefender finds it.

- JS.TeslaCrypt.1.Gen
- JS.TeslaCrypt.2.Gen
- Trojan.JS.Agent.KVR
- JS: Trojan.JS.Agent.NA

Additionally, I didn't find the above in the protection profile of NORTON.

Will there be a timely correction? I'd expect a much more responsive protection from the AV-leader.


Norton certainly didn't protect my files...EVERYTHING now infected

Oddly enough...my files on OneDrive & DropBox are accessible from my other PC's which haven't been infected?