Teslarvng Ransomware (<Original Filename>.<Original Extension> → .[de-crypt@foxmail.com].teslarvng) - Videos

Major Detection Name : Gen:Variant.Ransom.Ouroboros.29 (BitDefender), Ransom.Teslarvng (Malwarebytes)

Encrypted File Pattern : <Original Filename>.<Original Extension> → .[de-crypt@foxmail.com].teslarvng

Malicious File Creation Location :
- C:\ProgramData\Adobe
- C:\ProgramData\Adobe\Extension Manager CC
- C:\ProgramData\Adobe\Extension Manager CC\Logs
- C:\ProgramData\Adobe\Extension Manager CC\Logs\<Drive Letter>.txt
- C:\ProgramData\Adobe\Extension Manager CC\Logs\fails.txt
- C:\ProgramData\Adobe\Extension Manager CC\Logs\lockeds.txt
- C:\ProgramData\datakeys
- C:\ProgramData\datakeys\hds
- C:\ProgramData\datakeys\pos.txt
- C:\ProgramData\datakeys\tempkey.teslarvngkeys
- C:\teslarvng
- C:\teslarvng\tempkey.teslarvngkeys
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Recover.txt
- C:\HELP.txt

Major Characteristics :
- Offline Encryption
- Delete the defragsrv services
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wbadmin.exe delete catalog - quiet, WMIC.exe shadowcopy delete)
- Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool. ("%Temp%\sdelete.exe" -nobanner -p 1 -z <Drive Letter>:)