Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

New TeslaCrypt version released that uses the .EXX extension.


  • Please log in to reply
221 replies to this topic

#211 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 21 March 2016 - 07:41 PM

I have an iMac and two attached FAT32 Ext HDDs have been infected with TeslaCrypt .VVV variant. The iMac seems unaffected.

Is it possible to run TeslaDecoder on an iMac?

Thanks in anticipation of your advice.

 

Since TeslaDecoder is an EXE, I'm going to have to go with no, unless you have something like Parallels or another virtualization app running. You will need something with Windows to run TeslaDecoder and the other packaged software.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#212 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 AM

Posted 21 March 2016 - 07:42 PM

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Support for decryption requests can be posted in this topic:

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#213 fishmonger

fishmonger

  •  Avatar image
  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:34 PM

Posted 21 March 2016 - 07:55 PM

Thank you



#214 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 AM

Posted 21 March 2016 - 09:10 PM

You're welcome.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#215 Coconutdog

Coconutdog

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:34 AM

Posted 08 April 2016 - 04:51 AM

Could you not disable vssadmin so the ransomware cannot delete volume shadow copies?



#216 quietman7

quietman7

    Bleepin' Gumshoe


  •  Avatar image
  • Global Moderator
  • 62,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:34 AM

Posted 08 April 2016 - 05:09 AM

Yes...Why Everyone Should disable VSSAdmin.exe Now!

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif


#217 MissJessica

MissJessica

  •  Avatar image
  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 03 May 2016 - 07:08 PM

Hi there!

I received this on my computer about a month ago. It was in every folder on my computer and all my photos, documents and videos became encrypted. There is no file extension to my files and the shadow files have been deleted. I have tried about 20 different programs to try and recover my files but reading through this blog I can see that it seems like there is no solution. yet. I'm pretty confident that I have removed the virus from my computer(using the free version of Malwarebytes Anti-Malware). I have kept one of these ransom notes:

 

+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(

NOT YOUR LANGUAGE? USE https://translate.google.com

What's the matter with your files?

Your data was secured using a strong encryption with RSA4096.
Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem)

What exactly that means?

+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(

It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore .
In other words they are useless , however , there is a possibility to restore them with our help .

What exactly happened to your files ???

*** Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private.
*** All your data and files were encrypted by the means of the public key , which you received over the web .
*** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers.

+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(

What should you do next ?

There are several options for you to consider :
***  You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or
***  You can start getting BitCoins right now and get access to your data quite fast .
In case you have valuable files , we advise you to act fast as there is no other option rather
than paying in order to get back your data.

In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below :
http://as3ws.fopyirr.com/BE7E29CB94391BBC
http://o4dm3.leaama.at/BE7E29CB94391BBC
http://i5ndw.titlecorta.at/BE7E29CB94391BBC

If you can't access your personal homepage or the addresses are not working, complete the following steps:
*** Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en
*** Install TOR Browser and open TOR Browser
*** Insert the following link in the address bar: xzjvzkgjxebzreap.onion/BE7E29CB94391BBC

+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(

***************IMPORTANT*****************INFORMATION********************

Your personal homepages
http://as3ws.fopyirr.com/BE7E29CB94391BBC
http://o4dm3.leaama.at/BE7E29CB94391BBC
http://i5ndw.titlecorta.at/BE7E29CB94391BBC

Your personal homepage Tor-Browser xzjvzkgjxebzreap.onion/BE7E29CB94391BBC
Your personal ID BE7E29CB94391BBC

+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(
+"=&6+0$+1/#!2-":8, "7+?"5*'84(

 

Please please help if you can or keep me posted on updates for a solution. I would really love to get my photos and videos back.

 

Thank you!

 

Jessica

 



#218 Demonslay335

Demonslay335

    Ransomware Hunter


  •  Avatar image
  • Security Colleague
  • 4,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:34 AM

Posted 03 May 2016 - 08:07 PM

If the extensions were not modified, you were hit by TeslaCrypt 4.0. There is no way to decrypt the files I'm afraid. You can upload a sample file to the service in my signature to confirm, it will point you to the right information.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#219 Bert1969

Bert1969

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 05 May 2016 - 09:35 PM

Hello Everyone,

 

I was hit by TeslaCrypt 4.0 a few weeks ago.  While the files were being encrypted, I shut it down in the middle of the process.  Having done that, is there a possibility the private key is stored somewhere on my hard drive since I shut it down before the encryption process was complete?

 

Thank you.



#220 BloodDolly

BloodDolly

  •  Avatar image
  • Security Colleague
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:02:34 PM

Posted 06 May 2016 - 01:16 AM

Hello Everyone,

 

I was hit by TeslaCrypt 4.0 a few weeks ago.  While the files were being encrypted, I shut it down in the middle of the process.  Having done that, is there a possibility the private key is stored somewhere on my hard drive since I shut it down before the encryption process was complete?

 

Thank you.

If you wouldn't shutdown the computer, but hibernated it instead then the PrivateKeyFile would be located in the hiberfil.sys. The private keys are not stored on the disk and they are located only in the memory. PrivateKeyMaster is located in the memory only few ms and then it is zeroed out. PrivateKeyFile is located in the memory during whole encryption process, but it is destroyed when computer is shutdown/restarted, TeslaCrypt process is terminated or TeslaCrypt finished encryption of all files.

Currently there is no solution how to restore private keys of TeslaCrypt 3/4 from encrypted files. I recommend to backup all encrypted files and wait for solution.



#221 Bert1969

Bert1969

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 May 2016 - 11:35 AM

Thank you Security Colleague,

 

I'm not sure if it makes a difference but I didn't do the normal shutdown, I held the power button down until it turned off.  If there were a hiberfil.sys created, where would it be located?



#222 BloodDolly

BloodDolly

  •  Avatar image
  • Security Colleague
  • 526 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:02:34 PM

Posted 10 May 2016 - 12:27 PM

Thank you Security Colleague,

 

I'm not sure if it makes a difference but I didn't do the normal shutdown, I held the power button down until it turned off.  If there were a hiberfil.sys created, where would it be located?

hiberfil.sys is located on C drive, but the computer has to be hibernated to create/use this file. In your case you used hard shutdown.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users