Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New TeslaCrypt version released that uses the .EXX extension.


  • Please log in to reply
222 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 11 May 2015 - 02:19 PM

A new variant of TeslaCrypt has been released last week that has a few minor changes, but for the most part is the same as Alpha Crypt. The main differences are that this new version has a different graphical user interface, which is shown below, some file name and location changes, and uses the .EXX extension when encrypting your files.

 

application.jpg
New TeslaCrypt version



TeslaCrypt versions do not include the name of the ransomware in the application itself. It is only till you go to the decryption site that you will see the namw of the particular version. With this new version the ransomware no longer has an identifying name associated with it. My guess for not naming this new version is to make it harder for people to search for help topics, like on our forums for example, to receive help. You can see the header of the decryption service site where the name usually appears below.

 

decryption-service-header.jpg
Decryption Service site header with lack of distinguishing name.



Just like Alpha Crypt, it will search out files with the following extensions, encrypt them, but now uses the .EXX extension.
 
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt
When it is done it will change your wallpaper to the Desktop%\HELP_RESTORE_FILES.bmp ransom note and also display a text note found here %Desktop%\HELP_RESTORE_FILES.txt.

Finally, there are some file name and file location changes with this new version. In the past encryption information was stored in the %AppData%\key.dat file. In this version the information is stored in %LocalAppData%\storage.bin.

At this point there is no way to decrypt your files and TeslaDecrypt will not work with this infection. As more information is discovered, we will be sure to post it here. As always the best way to get the most up-to-date information on the TeslaCrypt family can be found in this guide:
 

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ



Known new TeslaCrypt Files:
%LocalAppData%\<random>.exe
%LocalAppData%\log.html
%LocalAppData%\storage.bin
%Desktop%\Save_Files.lnk
%Desktop%\HELP_RESTORE_FILES.bmp
%Desktop%\HELP_RESTORE_FILES.txt
%Documents%\RECOVERY_FILE.TXT
Known new TeslaCrypt Ransomware Registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AVrSvc	%LocalAppData%\<random>.exe
HKCU\Control Panel\Desktop\Wallpaper	"%Desktop%\HELP_RESTORE_FILES.bmp"


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 14,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:29 AM

Posted 11 May 2015 - 02:22 PM

I thought that this user on Malwarebytes was hit by Alpha Crypt, but it looks like it got hit by the newest version.

https://forums.malwarebytes.org/index.php?/topic/168251-malwarebytes-beats-hitmanpro-alert-on-its-own-game/

He provided a malwr.com report link to the executable he ran, but it got deleted by the Moderators there for safety purpose. I still have it and the ransom message is the same, even the window name is the same as well.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#3 buddy215

buddy215

  • BC Advisor
  • 9,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:29 AM

Posted 11 May 2015 - 03:20 PM

Is this fix/ decryption report no more useful? Threat Spotlight: TeslaCrypt – Decrypt It Yourself

 

Cisco Blog > Threat Research

Threat Spotlight: TeslaCrypt – Decrypt It Yourself
TalosBrand_blog_size_thumbnail.png
Talos Group | April 27, 2015 at 8:39 am PST
 
(189 Comments)

This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau

Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008

Update 5/8: We’ve made the source code available via Github here

After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”
Lawrence M. Krauss


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 11 May 2015 - 03:28 PM

TeslaDecrypt is only for the original .ecc version.

#5 rramalho

rramalho

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 May 2015 - 11:16 AM

Lawrence , any update ?



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,368 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:29 AM

Posted 12 May 2015 - 11:51 AM

Nothing yet. I received word back from one of the Cisco devs. They are looking at it. That's all I have right now.

#7 Odail Oliveira

Odail Oliveira

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 12 May 2015 - 11:52 AM

hello, I would get information about this screen shot I made on my pc, my ta partitioned system on and off,
 I have had several problem on my pc and I can not solve,
 already sent format several times and always returns the same settings for me encomodar.


#8 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 14,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:29 AM

Posted 12 May 2015 - 11:55 AM

Hi Odail Oliveira :)

If you need assistance with an issue, I suggest you to post it in the appropriate section on BleepingComputer and someone will come assist you :)

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#9 rramalho

rramalho

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 12 May 2015 - 12:06 PM

Thanks ! 



#10 phatsuit

phatsuit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 May 2015 - 08:26 PM

I just got this. Is there anything I can do to restore my files besides paying them. If I pay them, will it be fixed?



#11 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 14,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:29 AM

Posted 12 May 2015 - 08:31 PM

Hi phatsuit :)

Right now, there's no way to decrypt the files encrypted by this new variant for free. Also, TeslaCrypt variants runs a command that delete all the Shadow Volume Copy files stored on the system, which prevents you from recovering your files using the "Previous Versions" method. You can always check if you can, in case the command didn't run or didn't run properly. Shadow Explorer is a free program that you can use to navigate throught your shadow copies and can be easier to use in opposition to Windows' native explorer. Also, you can try to use free data recovery software to recover your files, but there's no guarantee that it'll work. Some of these free data recovery software are:Take in consideration that none of these software guarantee that they'll be able to recover everything, if not anything at all. Plus, since they are free software, they have a data recovery limit as well (ranging between 1 and 10GB).

And I don't think anyone paid the ransom for it yet, so I couldn't tell.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#12 phatsuit

phatsuit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 12 May 2015 - 08:40 PM

Thanks, Id be willing to pay for them to be decrypted. Anything that does that?



#13 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 14,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:29 AM

Posted 12 May 2015 - 08:46 PM

Since this variant is brand new, I doubt that anyone have a paid decryption for it, except the crooks themself. Also, it's never adviced to pay the ransom when you get hit by a Cryptoware, since in a way, it just "supports" the people behind it. However, if you have data that cannot be replaced, financially talking or for the future of a company, than there might be no other choice. Personally, I don't support paying the ransom but it's just my opinion.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!


#14 rramalho

rramalho

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 13 May 2015 - 06:03 AM

Aura,

 

Already tried that approach ...no luck !

 

From what i know , you can't recover the deleted Shadow copy files , they are stored different from ordinary files and so even the recovery programs won't work with them...


Edited by rramalho, 13 May 2015 - 06:11 AM.


#15 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Study Hall Senior
  • 14,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:10:29 AM

Posted 13 May 2015 - 06:54 AM

Some people succeeded in recovering these copies using the programs I listed, however since every system is different, what works for one person might not work for the other sadly.

Help BleepingComputer Defend Freedom of Speech
Member of the Bleeping Computer A.I.I. early response team!
Technical Support, Tier 2 | Sysnative Windows Update Junior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast), so if I'm assisting you in a thread, and I've not been online for a while, please check the time to see if I'm awake or asleep!





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users