TeslaCrypt ransomware changes its name to Alpha Crypt

doesnot work for me and:

Loading data file from >> C:\Users\farhad\AppData\Roaming\key.dat
Data file version 3 recognized.
ERROR - Decryption key is not present in data file.
Decryption key was destroyed by TeslaCrypt.
Unfortunately this tool can't recover decryption key. :-(

Some of our files are still encrypted with Alpha Crypt variant.

By using Bloody's tool we got the following message:

ERROR - Wrong data file format:
Bitcoin address is missing.

We have the Original key.dat file

Anyone has an idea?

TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

Hi ! DO you think this is possible that one day someone found un way to
decrypted   files encrypted by TeslaCrypt ?

We done all thing found on internet I have a storage.bin (on for each
account on the pc) and when I am trying Tesladecoder it said that no Key
are present !! Shadow folder files has been deleted ....

I look on the file recovery_file.TXT and I found the following lines ....

1ApGNYpsjzfNgUmHeoC8VXwGTBrM8DRXZi
58FD301BFDF0CB295B325D1199748A5910BFDCBD45D29335F39967B2ED7153AA
4923BBF91840B05C8600659A0833D204541DC087332BA7AF31CB7DD3764D13EF03D2792AD73B330AEF38B4D4C7C27C17BD722530A41F8002D2043A8DFE36CECC

What can I do with that ?? I don't have the main key ....

If someone can help ??? I really appreciate ....

Thanks Rejean

 

first and foremost, a sincere and big thank you to all of you who are helping the infected and helpless masses - many many thanks! also, i originally posted this in the ".aaa" variant thread, so that's the one im infected with...

ok, so i must have gotten infected sometime late last night, right before putting the pc (xp sp3 home with only 19gigs of total hd space - 16gigs of it used) on standby and going to bed. note: i do NOT open any emails on that pc, ever, i had to have gotten bit from an infected page (i was visting politically themed blogs, one of them must have got me). anyway, i turned on the pc today and noticed some weird files (with .aaa extension) and new icons on desktop, but no official ransom page yet. i immediately disconnected ethernet cable and the 2 external hd's (ive managed to check one of them and thank goodness it doesnt appear to have been compromised, the other one im afraid to check so im putting it off for later). went to startup via ccleaner and confirmed that two (maybe three) new items were added, disabled them.

i was afraid to stay on the infected pc, so im speaking from memory, which is a bit hazy about exact details, though logs were made - plz forgive me for the vagueness of the next few details but... using something to halt processes, i halted processes, then used JRT, which did something (wish i could remember what). then scanned using AdwCleaner, and it found several files which i let it "clean". when done it asked to reboot, i said yes. once fully restarted i then got the official ransom page. went to my music folder, double clicked a song, and it played. i then shut the pc down again, and restarted it using bitdefender rescue disk on cd, and did a scan. it found "1 threat in 2 items still present" on the pc, the one listed as "gen:trojan.heur.autoIT.1", and thats where im at currently - afraid or unsure of what to do or not to do. having read about teslacrypt and its variants for the past few hours, i dont want to risk losing anything which might help decrypt whatever files have been encrypted. so here are my questions:

should i let bitdefender clean the trojan? if yes, should i delete or disinfect it? what should i do after that? will either grinler's or dolly's tool work with the .aaa file extension? if not or if it fails because the key is gone, whats my next step?

is there an automated program that can gather the pieces i need to save and put away for possible future release/leak of a key?

what do i need to do to return to "normal" computing/surfing? is there an automated program that will remove the requisite entries/files/executables for the ransomware? or is that what the scanners have already removed? note: as a final step i will run eset's free scanner...

probably a dumb question, but should i run malwarebytes' anti-rootkit? should i run combofix?

again thanks for any help, and plz forgive my noobishness, im dumbfounded and lost as to what exactly to do next. i did read the two faqs for crypto/tesla/alpha, but still am not quite sure of what specific action(s) to take next. any help or guidance anyone can offer would be greatly appreciated!

*remember im paused at the end of a bitdefender scan with two items awaiting action. please advise me on the best next immediate action to take - thank you!

aj138: By saying "putting the pc on standby" do you mean putting the PC to soft sleep or hibernation? I am asking because If you did put your PC to hibernation and didn't hibernate again, then you can have a snapshot of running TeslaCrypt in hiberfil.sys with your private key (decryption key). If this is your case then please don't hibernate again and backup your hiberfil.sys before next hibernation.

It seems that you can be infected by something else than TeslaCrypt, because I didn't see Tesla to be distributed with autoit malware/injector.

My decoder can't decode .aaa variant because the key is only in memory and it is never stored anywhere.

You can remove found infected items, becasue everything what you need for decryption of your files if Tesla's private key would be found /leaked is already stored in encrypted .aaa files. So everything what you need to backup is encrypted files.

Running Eset's free scanner is a good idea and if you don't have any antivirus solution you can install trial version of Eset Smart Security 8 (it is the same or better than running malwarebytes anti-rootkit and combobox or any anti malware tool).

So your next step can be removing infection and check what is in run keys in windows registry (if you can check it). Comment out everything suspicious (You have to be sure that Tesla is not in run key before you start your windows again.) and if you can boot from some live CD with internet then run Eset's free online scanner.

thanks so much BD, sorry for the very late reply. previously, i was able to bring a stop to the virus that was encrypting my files, but there was significant damage, all the writings, videos and pics on my pc were lost, as was about 5% of similar files on my external hd. curiously, the virus did not encrypt any of my mp3's. and yes - as it turned out, i was also infected with some other crap*, more on that in a second... 

anyway, fast forward to 7:30pm friday night, while surfing the net in search of flight simulators and screen recording software, i was again infected by ransomware that encrypted my files. what's unique about it is that this variant did NOT change any file extensions, all of the files appear normal, until you click on them. for instance, a text file will open, but contains weird symbols and jibberish instead of the words i had written and saved in that file. also, this virus, did not spare my music, all my mp3's have stopped playing. i didnt have many new pics/vids or writings since im still just getting over the previous infection, but my entire pc was again compromised - most of my files are now encrypted and useless (as are about 3% of similar files on my external hd). note: the ransomware posted a html page link and a pic entitled "help_decrypt" in all the folders it infected (the pic is the same exact ransom note as i received by the .aaa infection).

*using eset online scanner and some other scanners, i was able to get this new virus to stop encrypting files. but while running combofix, i found out im still infected by a zeroaccess rootkit, which im hoping to get help removing... anyhow, many thanks to all, and tip of the hat to you BD for your prior help - cheers mate!

Edited by aj138, 08 November 2015 - 03:03 AM.