Remove TeslaCrypt and Restore Files

TeslaCrypt Overview

READERS! BEGIN HERE, PLEASE! As far as any evidence suggests, TeslaCrypt may just be the most dangerous virus on the internet right now. It certainly is of the most dangerous type at least. Since you are here and I don’t want to waste your time, I just want to give you the heads up – right here, I will be outlining the main problems with this malware, an overview of what you can do to better avoid this situation in the future, and, of course, the removal section dedicated to its eradication. Here are the key things to understand:

  • This is a “sister” virus to at least two other known entities: Alpha Crypt and Cryptolocker-V3. They operate in practically the same way, however each uses a different encryption method, so they are listed separately.
  • This is extremely important: Do NOT pay the ransom. There are no guarantees your files will be ever unlocked, despite what the message claims. And honestly, there is no way to know that even if your files are returned, TeslaCrypt won’t return for a second round later on – after all, it wasn’t really “removed.”

And the most important:

  • Despite what the picture claims, the code generated is not unique for your PC. Do not be fooled. These people are just trying to extort and take advantage of the fact you’re probably not knowledgeable with these things. TeslaCrypt is not special in any particular way. The supposedly unique RSA-2048 key that can not be replaced (at least the message says so) is already researched. In fact, in the removal section below, we will post a link for a TeslaCrypt-specific decryptor that should theoretically restore all your files. Theoretically because there are always newer and updated versions of Ransomware, and there’s no way which one exactly you were infected with. 


The message itself varies from version to version. In our sample, for which we designed this removal guide, TeslaCrypt displayed the following message with instructions. Please make sure it is the same. If it is not, leave a comment below, and we’ll contact you and try to solve your problem. The personal page that specifies the ransom (usually 500$) is:

  • Encryption was made using a unique strongest RSA-2048 public key generated for this computer. To decrypt files you need to acquire the private key.
    The only copy of the private key, which will allow you to decrypt your files,is located on a secret TOR
    server in the Internet; the server will eliminate the key after a time period specified in this window.
    Once this has been done, nobody will ever be able to restore files…

WARNING! TeslaCrypt adds extensions called .ECC and .EXX to your files. If you are seeing extensions with the .EZZ appendix, you are likely suffering from Alpha Crypt, which uses an entirely different method for encryption. Check out our other removal guide for Alpha Crypt.

After it has successfully encrypted your files, TeslaCrypt will create a custom .txt file that should be located on your desktop, together with a wallpaper/picture. These text file is named either HELP_TO_DECRYPT_YOUR_FILES.txt or HELP_RESTORE_FILES.txt while the picture will be called:

How to Remove TeslaCrypt

1. First, you need to enter windows in safe mode. If you do not know how to do that, check how to do it in our guide on the subject here.

2 After you do this, there should be a file called TeslaCrypt/Cryptolocker/Alpha Crypt on your desktop. I want you to right click it and choose Show File Location. 

3. In the new folder that opens up, you will find three files: key.dat, log and tltudnb. Copy key.dat somewhere and then delete the 3 files.

4. At this point, you need to try to retrieve your files. Here is a link to a decrypting tool you can use to do this. It should work specifically for TeslaCrypt. Bear in mind that there are no guarantees your files will be restored – this may or may not work:

5. Click the windows button windows-button then type regedit in the search field.

6. There are lots of folders and registry keys to the left. I want you to carefully navigate and locate the following folder:

ComputerHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrent VersionRun

7. Once you are there