Emerging Threats

Massive ransomware campaign using TeslaCrypt discovered

Authored by a Symantec employee


It has been discovered that attack groups behind the ransomware known as TeslaCrypt (Trojan.Cryptolocker.N) have ramped up activity in the past two weeks, sending out massive volumes of spam emails containing the hidden malware. TeslaCrypt uses strong encryption to encrypt a wide range of files on the victim’s computer, then demanding a ransom from their victim in order to get their files back. Its creators have continually tweaked the malware and the strategy used to distribute it to help it hide from antivirus detection, therefore making it one of more dangerous threats currently in circulation. A telltale sign of the malware is that each spam email contains an attachment with a file name using common words such as “invoice”, “doc” or “info” in addition to random characters. The attachment may have a file extension of .zip or may have no file extension at all.

Much of the current campaign of TeslaCrypt attacks involve spam emails using a range of social engineering techniques to lure the user into opening them.

Examples of the subject lines used in these emails include:

  • Would you be so kind as to tell me if the items listed in the invoice are correct?
  • Please accept our congratulations on a successful purchase and best wishes.
  • Would you be nice enough to provide us with a wire transfer confirmation.

Once the attachment is opened, it will download and install the ransomware on their computer. The ransomware will then encrypt the user’s files and then create two files on the computer, which both contain instructions on how to pay the ransom and receive a decryption key.

TeslaCrypt is malware that can be purchased on the underground black market. Attack groups pay TeslaCrypt’s authors for use of the malware and possibly also for access to various distribution channels, such as spam botnets or exploit kits. Because of this, it is difficult to identify any one perpetrator responsible.

However, Symantec’s findings show that one group in particular is behind most of the recent spike in TeslaCrypt activity and it appears to be using spam email as its main distribution method.


Given that this group using TeslaCrypt has been highly active in recent weeks, businesses and users should be on their guard. Norton Security protects against TeslaCrypt.

In addition to the protection Norton offers, there are still some extra practices users can take to stay protected from this threat:

  • Keep Internet security software regularly updated. Norton is always up-to-date, other solutions may not be, so be sure to check if your solution is updated.
  • Keep your operating systems and software up-to-date with the latest patches.
  • Use caution when opening emails from unfamiliar sources especially with attachments or links. Do not click on unsolicited web links in email messages or submit any information to webpages in links.
  • Users should also regularly back up any files stored on their computers. Once backed up, be sure to keep the backup device unplugged from the computer, as it is still susceptible to infection if connected. If a computer is compromised with ransomware, then these files can be restored once the malware is removed from the computer.

Further reading

If you would like to find out more about the threat posed by ransomware, you can read our whitepaper: The Evolution of Ransomware as well as Norton support’s self-help page for ransomware

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.