New TeslaCrypt version released that uses the .EXX extension.

Hello. A client was hit with this varient. We have the software restriction policies outlined on this page in place. I am wondering how we got hit this time and what I can do to prevent it. I'll be working on this all day, my colleague is busy restoring the files from backup. If I learn anything I'll be sure to reply. Thanks.

EDIT: I confirmed our Cryptopolicies are in place by running gpresult. I also tried to run a safe exe file from %APPDATA% and it failed to run due to group policies.

Edited by keithmichael, 13 May 2015 - 08:52 AM.

: I confirmed our Cryptopolicies are in place by running gpresult. I also tried to run a safe exe file from %APPDATA% and it failed to run due to group policies.

That's it! We had %LocalAppData%\*\* blocked but not the root folder,  %LocalAppData%

Edited by keithmichael, 13 May 2015 - 09:06 AM.

Okay, well this is going to be whack-a-mole because while I can block that folder, I tested a few others and I can still run exes.

Thank you. We are looking into them. We need to protect Citrix/Terminal Servers as well as Citrix PVS with non persistant disks and trying to find out if they will work under these conditions.

Got hit by this lastnight.  Local machine had a drive letter mapped and hit a network share.  Darn the luck.  Anyone had any luck with this?  Is there any way to take an original of a file and compare it to the encrypted one and figure out the key? 

Also, on the local machine it seems to of added the .exx and make files not work, but on my network share it still shows the normal name no extension added?  Also, they still show their main program for opening the file.  I have backups but nothing from yesterday and the restore would be very time consuming. 

I am in limbo about paying and hoping this gets unlocked. 

thanks

Adam

You can try my TeslaDecoder. It works only when decryption key is still present in data file (key.dat, storage.bin) or windows registry entries. Supported extensions are .ecc, .ezz, .exx

http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0

I hope it will help to someone. :-)

I've already removed most of the registry entries claimed by the SpyHunter tool manually (I did not want to buy this software, as I did not know if it really works for this type of virus) - but I've made a backup of a few of the registry entries.

Can you give a more detailed information about which files / registry keys you check and the algorithm the crypter uses? I've the storage.bin file and a few registry entry backups which may be relevant.

Would you mind posting the source code of your tool? This would be great!

Thanks,

Andreas.

Wow,

Looks like Tesla is hitting a lot of people. We ended up realizing we had a remote backup so we restored the data. What steps should we take to eliminate the program/virus from the server?

I've already removed most of the registry entries claimed by the SpyHunter tool manually (I did not want to buy this software, as I did not know if it really works for this type of virus) - but I've made a backup of a few of the registry entries.

 

Can you give a more detailed information about which files / registry keys you check and the algorithm the crypter uses? I've the storage.bin file and a few registry entry backups which may be relevant.

 

Would you mind posting the source code of your tool? This would be great!

 

Thanks,

Andreas.

If you have a backup of your storage.bin then load it in my decryptor (click on Load data file and set the path to this file) and you will see if the decryption key is still there.

My tool checks the known locations of data files and registry entries
%appdata%\key.dat
%localappdata%\storage,bin

[HKCU\Software\Microsoft\Windows\CurrentVersion\SET]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\storage]

Sorry, but I don't want to post source code because Tesla/Alpha crypt writers can use it against you all. My decoder is written in masm so if you disassemble it (IDA, ollydbg) you will get the source code (almost).

 

I've already removed most of the registry entries claimed by the SpyHunter tool manually (I did not want to buy this software, as I did not know if it really works for this type of virus) - but I've made a backup of a few of the registry entries.

 

Can you give a more detailed information about which files / registry keys you check and the algorithm the crypter uses? I've the storage.bin file and a few registry entry backups which may be relevant.

 

Would you mind posting the source code of your tool? This would be great!

 

Thanks,

Andreas.

 

If you have a backup of your storage.bin then load it in my decryptor (click on Load data file and set the path to this file) and you will see if the decryption key is still there.

My tool checks the known locations of data files and registry entries
%appdata%\key.dat
%localappdata%\storage,bin

[HKCU\Software\Microsoft\Windows\CurrentVersion\SET]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\storage]

Sorry, but I don't want to post source code because Tesla/Alpha crypt writers can use it against you all. My decoder is written in masm so if you disassemble it (IDA, ollydbg) you will get the source code (almost).

 

Your decryptor posts following message when I direct 'load data file' to my storage.bin backup:

 

Your decryptor posts following message when I direct 'load data file' to my storage.bin backup:

Data file version 4 recognized.

ERROR - Decryption key is not present in data file.

Unfortunatelly this tool can't recover decryption key. :-(

 

The registry keys you mentioned, I did not modify, but they do not exist.

 

If your tool fails, and you say 'see if the decryption key is still there', does this mean that the virus destroys the decryption key if you either do not pay and let the warning time run out, or if you try to remove/stop the virus?

 

My backup of storage.bin is made after the time I tried to remove the virus manually - I had the problem that Windows crashed with a blue screen and I could boot only in safe mode or in Windows Debug Mode. In this Debug Mode I the first time saw this virus' encryption warning, still claiming about 75 hours and started research about this kind of virus. This is now less than 48 hours ago, but as already mentioned I tried to stop this virus manually, by deleting some registry keys and renaming suspicious exe files.

 

Andreas.

 

Decryption key is removed from data file when all your files are encrypted, because crypter doesn't need it anymore.  It has nothing to do with the timer you can see. They are claiming that they will destroy your key from they servers after 96h but if it is a true I don't know.

But unfortunatelly my tool can't help you and you have to wait for another solution.

Hello, I´ll tell my experience so far trying to recover the exx files, so far with no luck.

I have tried so far with recuva and get data back. Both got copies recovered whithout the exx extension, prior to the day it got infected. They appeared to be fine, but when I tried to open those recovered files , they did not open or the content was a bunch of numbers and letters, so it appeared as encrypted. Shadow explorer did not find anything. No luck yet,it is a tough one, but there are great minds out there. Cisco guys have done an incredible work before, keep it up! As for the rest thanks for the contributions and ideas. Any help is welcome!! Thanks again to everyone who is helping.