Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt


  • Please log in to reply
1814 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,526 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:27 PM

Posted 18 May 2015 - 02:10 PM

A free decryption tool was released by BloodDolly called TeslaDecoder. This utility has the ability to decrypt files encrypted by TeslaCrypt.

TeslaDecoder can now decrypt all variants of TeslaCrypt 3.x and 4.x. This includes encrypted file extensions: .micro, .xxx, .ttt, .mp3, and encrypted files that were not renamed.
 

tesladecoder.png
TeslaDecoder Decryption Tool

TeslaDecoder can be downloaded from this url:
 

http://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip

A changelog for the tool can be found here:
 

http://download.bleepingcomputer.com/BloodDolly/changelog.txt


For older versions of TeslaCrypt, when run, TeslaDecoder will search for certain Windows registry keys, the storage.bin file, or key.dat file, and if detected, will attempt to extract your decryption key. Once a decryption key is extracted it will allow you to decrypt all the files in a particular folder or all files on a computer. Unfortunately, on some victim's computers the decryption key has been stripped from the data files. In this situation, TeslaDecoder will be unable to help you recover your files.

For newer versions of TeslaCrypt, which most people are currently affected by, you will need to read the instructions contained in the download to learn how to decrypt your files.

We have already updated our TeslaCrypt guide with information about TeslaDecoder. For the latest information about TeslaCrypt, you can always visit the guide below that is continuously updated as new information is released:
 

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ


Update 5/19/15 - Included link to download
Update 1/8/16 - Added information about the instructions included in the download.
Update 5/18/16 - TeslaDecoder can now decrypt all variants of TeslaCrypt 3.x and 4.x

Edited by Grinler, 18 May 2016 - 03:43 PM.
Forgot to post link to download


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Response Team
  • 15,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:27 PM

Posted 18 May 2015 - 03:50 PM

I was wondering when BloodDolly's Decrypter would get it's own thread. It'll be easier now for him to offer support for it :) Time to edit my canneds to include it. Can the victims of TeslaCrypt (.ecc variant) still rely on the CISCO's Talos Group decrypter if BloodDolly's one fails?

Edited by Aura., 18 May 2015 - 03:52 PM.

Help BleepingComputer Defend Freedom of Speech
unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 neo-harqq

neo-harqq

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 18 May 2015 - 09:55 PM

i tried to use this decoder but didn't work on key file storage.bin
warning message :

  • - data file version 4 recognized
  • - descryption key is not present in data file
  • - decryption key was destroyed by teslacrypt
  • - unfortunately this tool can't recover descryption key :-( 

 
nb: i move storage.bin to drive C:\file virus and i load manually use this decoder
 
so how?? any update or something i miss??



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,976 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:27 PM

Posted 18 May 2015 - 10:11 PM

I have placed links about this tool in all related topics.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#5 BloodDolly

BloodDolly

  • Security Colleague
  • 448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:01:27 AM

Posted 19 May 2015 - 04:55 AM

i tried to use this decoder but didn't work on key file storage.bin
warning message :

  • - data file version 4 recognized
  • - descryption key is not present in data file
  • - decryption key was destroyed by teslacrypt
  • - unfortunately this tool can't recover descryption key :-( 

 
nb: i move storage.bin to drive C:\file virus and i load manually use this decoder
 
so how?? any update or something i miss??

It worked, storage.bin was decrypted and checked, but unfortunately your decryption key was already destroyed by TeslaCrypt. TeslaCrypt destroys decryption key when all of your files were encrypted. When this happens I can't recover your decryption key from data file without TeslaCrypt's writters private key.
When decryption key can't be recovered I recommend to backup up all your encrypted files, data file (key.dat or storage.bin) and recovery_key.txt or recovery_file.txt and wait for another solution.



#6 BloodDolly

BloodDolly

  • Security Colleague
  • 448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:01:27 AM

Posted 19 May 2015 - 05:02 AM

Can the victims of TeslaCrypt (.ecc variant) still rely on the CISCO's Talos Group decrypter if BloodDolly's one fails?

They can try it. :-)
But I don't think it will help, because Talos decrypter only takes 32B number from offsets 0x77 and 1xDB without checking.



#7 IOOP

IOOP

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 19 May 2015 - 07:20 AM

like i said on another topics I am one of the many people that had "the pleasure to meet". I had remove the executable which infected the files from my computer, I use in order to recover back the encrypted files the following tolls (shadow explorer, recuva) with no luck, the recuva tolls recover back only bacup files from windows partition useless. can I try  

TeslaDecoder released to decrypt .EXX or is to late?

 

Or any other tolls that can help me recover the encrypted files.

 

One mention, the extention file of the encripted docs is exx.

 

Thanks



#8 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Response Team
  • 15,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:27 PM

Posted 19 May 2015 - 07:22 AM

That's good, thank you BloodDolly :) Also, should we redirect people using your Decrypter tool to this thread for support? Because I think you noticed that some users post in the 2-3 threads about TeslaCrypt/Alpha Crypt about your tool if they have question. They basically copy/paste their reply in all the threads. I don't know if it would be easier for you to get them all redirected here.

Help BleepingComputer Defend Freedom of Speech
unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,976 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:27 PM

Posted 19 May 2015 - 07:32 AM

BloodDolly is subscribed to all the related topics and is handling support questions. Further, I already provided links to this topic.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#10 Aura

Aura

    Bleepin' Special Ops Tech Warrior


  • Malware Response Team
  • 15,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:27 PM

Posted 19 May 2015 - 07:40 AM

I know that, but what if someone creates a new thread about the decrypter, like this one:

http://www.bleepingcomputer.com/forums/t/576652/how-repare-files-infected-to-tesla/

Should it be redirected in the TeslaCrypt thread, or this one since the user is having issues with the Decrypter?

Edit: Well I guess that you just answered my question in that thread :P

Edited by Aura., 19 May 2015 - 07:51 AM.

Help BleepingComputer Defend Freedom of Speech
unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 44,976 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:27 PM

Posted 19 May 2015 - 07:54 AM

Then just report it so staff can reply and close the topic.
Microsoft MVP - Consumer Security 2007-2015 MVP.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If we have helped you and you wish to make a DONATION, please Help BleepingComputer!

#12 BloodDolly

BloodDolly

  • Security Colleague
  • 448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:01:27 AM

Posted 19 May 2015 - 09:56 AM

That's good, thank you BloodDolly :) Also, should we redirect people using your Decrypter tool to this thread for support? Because I think you noticed that some users post in the 2-3 threads about TeslaCrypt/Alpha Crypt about your tool if they have question. They basically copy/paste their reply in all the threads. I don't know if it would be easier for you to get them all redirected here.

Yes, you can redirect them here. It would be good to have it only in one thread. Thanks.



#13 BloodDolly

BloodDolly

  • Security Colleague
  • 448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:01:27 AM

Posted 19 May 2015 - 10:00 AM

@IOOP:
Try my tool and you will see if you still have decryption key present in data file (key.dat or storage.bin).
But first read readme.txt file. :-)



#14 gotrojans

gotrojans

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:27 PM

Posted 19 May 2015 - 11:47 AM

BloodDolly,

 

If the decryption key has been removed from key.dat, have you had any luck using the Recovery_File.txt file?

 

Thanks

 

Ron



#15 BloodDolly

BloodDolly

  • Security Colleague
  • 448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:01:27 AM

Posted 19 May 2015 - 04:54 PM

BloodDolly,

 

If the decryption key has been removed from key.dat, have you had any luck using the Recovery_File.txt file?

 

Thanks

 

Ron

Unfortunately it is not about luck to get decryption key back when it is destroyed. It is possible in reasonable time in version 1 and 2, but since version 3 they start using ECDH for key exchange. As I wrote in antoher threads (http://www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/?view=findpost&p=3708417)
(http://www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/?view=findpost&p=3708349) there is nothing to do right now when decryption key was destroyed. The key part is in Tesla/AlphaCrypt creators and without their private key it is matematically impossible to get it/brute force in reasonable time.


Edited by BloodDolly, 19 May 2015 - 04:55 PM.





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users