Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Saturday, March 14, 2015

Encrypted Files (.ecc extension) Malware Removal Guide

Tell your friends:
If most of your files are encrypted and have a .ecc extension, for example work.docx.ecc, then your computer is almost certainly infected with TeslaCrypt ransomware. Obviously, encrypted files cannot be opened by the standard program. They must be decrypted first but the problem is that you need to purchase your private key using TeslaCrypt service in order to do so. You don't have to be a techie whizz kid to know that cyber criminals, malware users and hackers are increasingly upping the ante in their attempts to defraud, scam, phish and extort computer users – such as you and me – out of our hard earned money.

There are more than enough different types of malicious software out there to keep us on our toes, but one of the most unpleasant ones is ransomware which seems to rear its ugly head in fits and starts, rather than being a constant on the malware landscape. However just because it appears to come and go is not reason to ignore it for ransomware is something that can cause untold stress, both on you and on your bank account, if you are not careful.

What exactly is TeslaCrypt ransomware?

The name probably gives it away, or at least holds a clue as to what this particular Internet based menace can do and how it operates. To cut a long story short, ransomware infests your computer, kidnaps one or more of your files, changes file extension to .ecc, holds them hostage – and then, as a natural conclusion, demands a ransom from you to let them go free.

How does it infect my PC?

As with most types of computer virus or malware, ransomware infects you via email carrying an infected attachment or link. It can also disseminate itself through other programs or it may employ a technique called a drive-by installation – this is when you visit a website that has been compromised.

You may notice that something is amiss on your computer when you suddenly find that you can't access a particular file or document, when you receive a ransom note – i.e. an email - or you are shown a screen or pop-up window alerting you. Usually these emails or alerts will appear to have been sent by a reputable organization such as the FBI or other national law enforcement agency. This of course would have the majority of us shocked into stunned silence (or possibly letting slip a few choice curse words!)

But what am I "guilty" of?

The email or warning will tell you that you have infringed some sort of serious law: maybe you've been "caught" looking at some dubious x-rated content or downloading pirated software or movies, for example.

Then, still pretending that a genuine federal or law agency were behind the message, you will then be shown how much you are being penalized and the amount of the fine you need to pay to atone for your "wrongdoing". But don't worry, this untoward third party will make it nice and easy for you to pay – this will either be by using an (untraceable) pre-paid card or Bitcoins, the digital currency.

Should I pay the fine?

No. Do not encourage these online scammers; no reputable law enforcement agency uses these tactics. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .ecc. But before restoring your files, please remove the ransomware and related malware files from your computer. Otherwise, you will simply waste your time. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing TeslaCrypt and related malware:

Before restoring your files from shadow copies, make sure TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by TeslaCrypt virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try the TeslaCrypt Decryption Tool by Cisco. Download TeslaDecrypt tool and run it.

Method 4: Try the TeslaDecoder Decryption Tool. Download TeslaDecoder tool and run it.

Method 5: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.


CandyeLuvsJesus said...

This is awesome. I am thankful for this information. One computer repair person told me the only way to resolve this encryption problem was to buy a $300 software or wipe all the information from my computer. I did not want to do either.

Anonymous said...


Thanks for your help, I used Shadow Explorer to restore my files, but I want to know if there is way to delete all files encrypted, because now I have both restored file and ecc file. and I cannot delete ecc file one by one. i will come back later to check your comment for solution if you have it

Admin said...


I'm glad you got your files back! It shouldn't be difficult to remove the encrypted .ecc files. Maybe some programs are still using the .ecc files so I would suggest you to restart your computer then run a full scan with anti-malware software and try to delete files again. Cheers!

Anonymous said...

Unfortunately I don't have backup points before the date of the attack and encryption of my files. Also, with Shadow explorer it doesn't show any dates before the attack. Is there any other suggestions to restore the encrypted files ?

Admin said...

You can use Recuva. It's a free data recovery software. Of course, it won't decrypt your files but it can find copies of at least some of your files stored on your hard disk before they were encrypted. It may or may not work but it's definitely worth trying.

Nico van den Berg said...

if i try to use the tesladecoder software it asks for a key.dat file

Admin said...

@Nico van den Berg, It probably can't find it. Search your computer for a key.dat file and load it using tesladecoder.