Remove TeslaCrypt ransomware and recover your files

In this article I will describe the steps that are needed to decrypt files that are infected with TeslaScript.

  1. Use a virusscanner (for example Hitman Pro) to remove TeslaCrypt from your computer.
  2. Go to ID Ransomware and upload an infected file:
    Upload file to find your decryption tool.

    Upload file to find your decryption tool.

  3. Upload the infected file:
    Upload infected file.

    Upload infected file.

  4. Download TeslaDecoder.zip:
    Download TeslaDecoder.zip

    Download TeslaDecoder.zip

  5. And save the file:
    Save the ZIP file

    Save the ZIP file

  6. Start TeslaDecoder.exe and click on [Set Key]:
    Start the executable from the extracted folder.

    Start the executable from the extracted folder.

  7. In this case the extension is the same as the original one:
    Extension the same as original.

    Extension the same as original.

  8. And click on [Set key]:
    Set key.

    Set key.

  9. Click on [Decrypt folder] to decrypt the folder with the infected files:
    Decrypt folder with the infected files.

    Decrypt folder with the infected files.

  10. Overwrite existing files:
    Overwrite existing files.

    Overwrite existing files.

  11. The decrypt has completed:
    Decrypt has completed.

    Decrypt has completed.

  12. Close the application:
    Close the application.

    Close the application.

  13. And open the decrypted file and see the magic:
    And you can open the Word file again.

    And you can open the Word file again.

Some basic guidelines:

  • Save your files on OneDrive or OneDrive for Business. Disable the synchronization client.
    If you get infected, the files that are stored on OneDrive or OneDrive for Business are not effected.
  • Make a backup of all your data to an external device.
  • Enable previous versions.
    1. On Windows 7
    2. On Windows 10 with File History
  • Never trust emails that have an attachment. Read the mail in preview mode, and delete the mail with SHIFT DELETE if your in doubt.

More information can be found at: