TISC ransomware aims to encrypt all of your files for a ransom
Contents
TISC ransomware is a variant of STOP/DJVU file-encrypting computer virus family. It uses Salsa20 algorithm to make victim’s files inaccessible. Once encrypted, each file gets appended with additional .tisc file extension to make the file distinguishable. For example, file originally called 1.jpg appears as 1.jpg.tisc after the cyber attack. The virus also drops ransom-demanding notes called _readme.txt in every folder including desktop. This text file contains a message from cybercriminals behind the malware who suggest that the only way to get TISC decryption tool and key is to pay a ransom for them. The attackers also present pricing of the tools – it costs $490 if the victim contacts the attackers within 72 hours or $980 later. The payment must be made in cryptocurrency such as Bitcoin to preserve the attackers’ identity. This virus’ variant is known to provide new contact email unseen in previous STOP/DJVU versions – supporthelp@airmail.cc and already known one – manager@mailtemp.ch.
TISC ransomware virus is used solely to extort computer users by taking their files hostage and demanding to pay a ransom. The algorithm of this malicious software is programmed to encrypt the very first 150 KB of each file, which makes the attack process speedy yet enough to make files inaccessible to the original owner. The encryption algorithm is known to be military-grade and is typically used to secure information between two endpoints so that only the one who has the decryption key could decrypt and view it. The cybercriminals who operate this ransomware suggest purchasing this key along with decryption software for a specified price. In other words, they turn victim’s files into hostages and try to extort the victim financially.
However, if your files were encrypted, there are some methods you can try to restore or repair at least part of them. The number one method is to use a data backup if you had one created prior to the attack (the ransomware must be removed from the system before attempting to do this). Additionally, you can use the guide given below this article which explains how to decrypt or repair files locked by STOP/DJVU versions. Speaking of file repair, Media_Repair by DiskTuna can help you to repair specific file formats with small data portion at the beginning of the file missing. you can read more on how to do it here.
The ransom note left by TISC ransomware is named _readme.txt and is identical in each folder where it was placed by the virus. It suggests that the victim can return all of the files, although “the only method of recovering files is to purchase decrypt tool and unique key.” Speaking of guarantees, the note suggests sending one encrypted file to the attackers via provided email addresses. They promise to provide a decrypted file version in their reply. However, the note specifies that this file should not contain any valuable information (cybercriminals are afraid that recovering valuable information will refrain the victim from paying the ransom altogether).
The note also explains that the full decryption price is $980 although if the victim writes to the attackers within the first 72 hours, they will provide a 50% discount and the price will be $490. When contacted via email, the attackers will respond with information on how to purchase cryptocurrency worth the amount and their wallet address which should be used to make the transaction. The simple reason why the victim can’t pay directly via bank is because this could lead to attackers’ arrest, so they prefer an untraceable payment method instead.
Cybersecurity experts from Geek’s Advice team do not recommend paying a ransom to cybercriminals. The same is stated by the official FBI recommendations. Here are some reasons why you should pay up:
- Paying a ransom does not guarantee successful data recovery. The criminals can disappear and stop responding to your emails the minute you make the transaction to their wallet address;
- The amount of money ransomware operators collect allows them to target more victims and lures other people to sign for Ransomware-as-a-Service even without much technical knowledge. According to reports, people behind such malware attacks collect millions of US Dollars each year. If people would stop paying ransoms, the ransomware system would run out of “fuel” that keeps it running;
- STOP/DJVU virus variants such as TISC often drop additional malware on the compromised host – AZORULT Trojan. It is capable of collecting sensitive information that can lead to further blackmail and more damage.
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Ransomware activities on your computer explained
TISC ransomware virus mostly reaches the victim’s computer in a form of a malicious torrent download, often a software crack. Once launched, it opens several build.exe executables (build2.exe, build3.exe) for initial preparations. It then performs a check for working Internet connection and if successful, connects to its Command&Control server and gets a unique online encryption key for the victim, which it saves to a bowsakkdestx.txt file on the computer. The virus also assigns a personal ID to the victim and saves it to the aforementioned file and PersonalID.txt file as well. In case the virus cannot reach its C&C server, it uses a hardcoded offline encryption key instead. A sign indicating that offline encryption key was used is t1 characters at the end of the personal ID assigned to the victim.
Once the encryption key is determined, the virus starts the data encryption phase. It is programmed to target a list of file extensions with some exceptions to keep the operating system intact. During this phase, the ransomware makes files inaccessible, marks them with additional extensions and leaves ransom notes in each visited directory. At the same time, the virus showcases a fake Windows update prompt (winupdate.exe), which is designed to trick the victim into thinking that a sudden system slowdown is caused by ongoing OS updates.
Malicious programs of such kind typically ensure that Volume Shadow Copies are removed from the system by running a Command Line task:
vssadmin.exe Delete Shadows /All /Quiet
This helps to prevent the victim from restoring part of the data using System Restore points. Additionally, the described ransomware collects some information (such as computer name, user name, operating system version, keyboard language, hardware specifics, processes and software installed) in information.txt file. The ransomware connects to “https[:]//api.2ip.ua/geo.json” which returns IP, country code, city, longitude, latitude, zip code and time zone of the compromised system. The ransomware compares country code with codes from the exception list and if match is found, terminates its processes.
Some STOP/DJVU versions also modify Windows HOSTS file by adding a list of domains to block for the victim. The virus maps them to localhost IP to cause a DNS problem. Therefore, if the victim tries to reach one of the blocked domains either directly or access them via search engine results, DNS_PROBE_FINISHED_NXDOMAIN error will come up. It was noticed that the virus blocks various cybersecurity and computer help related pages, including microsoft.com and others. We believe that the virus’ developers do not want the victim to find help online or find recommendations on how to respond or report the attack.
The final and very dangerous thing this ransomware does is dropping an information stealer called AZORULT on the infected system. This threat isn’t mentioned in the ransom note, although it is capable of collecting data and allows the attacker to perform various activities on the target system via remote access feature:
- Download various computer malware and running it;
- Take various login credentials, such as those of Telegram, Steam and other programs and send them to criminals;
- View or delete files on the victim’s computer;
- Steal cryptocurrency wallets and their contents;
- Steal browser-saved passwords, browser cookies, browsing history and more.
The best thing to do after being infected with such computer virus is to take action to get rid of it as soon as possible. For this task, we strongly recommend using a professional security software which can not only remove the threat, but also protect you from similar attacks in the future. That said, we recommend using INTEGO Antivirus which is a VB100 certified software. Additionally, you may want to download RESTORO to repair virus damage on Windows OS files.
Ransomware Summary
| Name | TISC Ransomware Virus |
| Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
| Family | STOP/DJVU |
| Encryption type | RSA Salsa20 |
| Previous versions | DARJ DAZX, TYWD, TYCX, TYOS, TYPO, JYWD (find full list here) |
| Version | 336th |
| Extension | .tisc |
| Cybercriminal emails | manager@mailtemp.ch, supporthelp@airmail.cc |
| Dropper | SmokeLoader (see VirusTotal details) |
| Damage | The ransomware uses Salsa20 encryption to lock files on the target system running Windows operating system. The encrypted files are marked with additional .tisc extension. The ransomware leaves _readme.txt notes in every file directory containing affected files. The virus also eliminates Volume Shadow Copies and adds a list of domain names to Windows HOSTS file. Some versions of this ransomware family tend to infect the computer with AZORULT Trojan. |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 in Bitcoin |
| Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
| Detection names | Trojan:Win32/Glupteba (Microsoft), VHO:Trojan-Spy.Win32.Stealer.gen (Kaspersky), Gen:Variant.Fragtor.27383 (BitDefender), ML.Attribute.HighConfidence (Symantec), Win32:PWSX-gen [Trj] (Avast) see all detection name variations on VirusTotal |
| Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
How ransomware-type viruses are distributed
In order to prevent ransomware infections in the future, it is essential to understand how such viruses are distributed by cybercriminals. The most common attack methods are based on exploit kits, malicious email attachments and links, malicious torrent downloads and web attacks.
The primary method used to spread STOP/DJVU versions such as TISC ransomware virus is malicious torrent downloads. Almost every victim of this ransomware strain who contacted us reported downloading it along a software crack for various popular software versions, such as:
- Adobe Photoshop;
- Corel Draw;
- Tenorshare 4ukey;
- League of Legends;
- Cubase;
- Adobe Illustrator;
- Windows activation tools such as KMSPico.
Cybercriminals prey on computer users who try to get paid software versions for free using peer-to-peer file sharing clients. These programs do not check for malware, however, such computer users are often willing to ignore their cybersecurity software warnings on such downloads as well. In most cases, users believe that any crack downloaded from the Internet gets marked as dangerous, although most of the time it actually is. Even if you do not notice suspicious signs after installing the software, you might already be infected, for instance, with cryptocurrency mining software, Trojan or a ransomware with a idle mode that is set to be launched after a specific period of time.
If you wish to get premium software version, please visit its official developer’s website and get a legitimate copy from there. We should support software creators rather than greedy criminals. Besides, the cost of a genuine software copy always costs less than insane ransom amounts demanded by crooks.
Malicious email attachments and links are often used by criminals who send out similar messages to thousands of potential victims. They obtain email addresses from various data leak databases in the dark web. It is common for them to pretend to be someone from a reputable company or even victim’s colleague. The majority of such emails urge the victim to open the attached document and reply as soon as possible. The attachment is usually named as a regular document, for instance, invoice, payment details, order summary, waybill, parcel tracking details and similar. Cybercriminals can even spoof the sender’s email address to make it appear as something else for the victim.
It can be hard to identify a malicious email message nowadays as scammers get more and more creative; that said, we strongly recommend you to avoid opening attachments or included links if you did not expect to receive an email from the sender. Do not let your curiosity to trick you into opening something that can severely harm your computer. Besides, if you sense that something is wrong with the email, for example, you notice a suspicious style of writing, grammar errors, unprofessional logos, weird greeting line or the message urges you to interact with attached contents, better avoid clicking on links or attachments.
Final infection vector we’d like to discuss is fake STOP/DJVU decryption tools, so be very careful. If you’re looking for a decryption tool, first check if such one exists. Such tools are usually widely talked about in legitimate and well-known Internet sources such as cybersecurity news sites, antivirus vendor’s sites and similar. Do not risk downloading such files from rogue websites. Cybersecurity experts report that ZORAB ransomware operators are using fake STOP/DJVU decryption tools to spread their own virus. This could end in double-encryption of your files.
Remove TISC Ransomware Virus and Decrypt Your Files
If you have become a victim of a ransomware attack, you should not hesitate and eliminate the malware from your computer system as soon as you can. Our team recommends using a robust antivirus with real-time protection for this matter – INTEGO Antivirus. You should follow the steps provided in the guide below to run it in Safe Mode with Networking to eliminate the malware safely. Additionally, you may want to download RESTORO which can repair virus damage caused on Windows OS files.
Once TISC ransomware virus removal is done, read these tips on how to respond to the cyber attack:
- Inform your local authorities about an Internet crime case. You can find some references below this guide.
- Use data backup to restore the majority of your files.
- Follow the given steps to decrypt or repair files affected by STOP/DJVU versions.
- We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
TISC Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove TISC Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove TISC Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt TISC files
Fix and open large TISC files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the TISC extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. TISC Ransomware Virus is considered the new STOP/DJVU variant, just like DARJ DAZX, TYWD, TYCX, TYOS, TYPO, JYWD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt TISC files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring TISC files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The TISC decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your TISC extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of TISC Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open TISC files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official TISC decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake TISC decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
When will Online Key .tisc DECRYPTION RELEASE?
I am waiting for months