TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

So heres my Story.

My Boss at work opened the Email with the virus.

So we have a Network of computers and even a Server 2012 r2 and a NAS Server (propably Linux i guess).

The Virus encrypted all the Files at our Network (All PCs and even the 2012 r2 have Kaspersky Small Office Security on it).

 

I restored the Files on my PC, and on our Server 2012 r2 (on his Computer it was not possible to do that).

 

But.... The Files at the NAS Server are still encrypted and i dont know how to restore them.

 

The NAS Server is a "Synology DS214" if anyone wants to know.

Hi, is it the .micro virus or another type?

Update: @Bloody and others

 

I wanna thanks all of you guys for your time and support. I successfully decrypted all  data with .ecc extension

If this can help somebody:

Solution for my problem was to find deleted key.dat (deleted by virus itself or av tool?), cause with the existing key.dat decryption did not work.

I used EaseUS free recovery wizard (recovery limited to  1GB ) who finds me that deleted key and also lots of files before encryption which can be also a solution if  you dont need all of the data.

After that just followed instructions for decryption and everything was peace of cake.

That is very great, and even if the limit of 1G is too little it is not difficult to buy that product, when you know it works:)

Hopefully the program did not restore the file to the same disk, but restored it to memory so you could store it on another drive. If not the more you restore the more unlikely it is to recover the rest of your files. If that is the case, make sure you restore the most important files first

You got a big warning shot this time. Great it worked out... and do not forget healthy backups

Edited by vilhavekktesla, 10 February 2016 - 03:15 PM.

I have a curiosity, if there is an expert on this question how much computing power it would take to decrypt a file .micro RSA 4096?

So heres my Story.
My Boss at work opened the Email with the virus.
So we have a Network of computers and even a Server 2012 r2 and a NAS Server (propably Linux i guess).
The Virus encrypted all the Files at our Network (All PCs and even the 2012 r2 have Kaspersky Small Office Security on it).
 
I restored the Files on my PC, and on our Server 2012 r2 (on his Computer it was not possible to do that).
 
But.... The Files at the NAS Server are still encrypted and i dont know how to restore them.
 
The NAS Server is a "Synology DS214" if anyone wants to know.

Hi, is it the .micro virus or another type?

 

 

So heres my Story.
My Boss at work opened the Email with the virus.
So we have a Network of computers and even a Server 2012 r2 and a NAS Server (propably Linux i guess).
The Virus encrypted all the Files at our Network (All PCs and even the 2012 r2 have Kaspersky Small Office Security on it).
 
I restored the Files on my PC, and on our Server 2012 r2 (on his Computer it was not possible to do that).
 
But.... The Files at the NAS Server are still encrypted and i dont know how to restore them.
 
The NAS Server is a "Synology DS214" if anyone wants to know.

Hi, is it the .micro virus or another type?

It is the .micro one

 

That is unfortunate.

For one small chance, or two actually.

Som drives may have been erased by turning off shadow copy, but there is a chance the NAS-drives and network drives survived, so you may be able to look for the data in those locations, both with shadowexplorer or similar programs but also recovery programs. You may get help on bleeping computer, but you could also contact a local data shop where the personnel have competence in data recovering.

You probably know it is important not to overwrite anything on the drive, and that you should concentrate in recovereing the most important stuff first, then

slowly work through all the files and folders. The drive directly connected to the machine with the virus, would be harder to recover, but there might be possibility,

so don't give up until you have tried all solutions, but again, if you do not feel comfortable to do this, seek help from others you trust.

I'm not familiar with Synology DS214, but it appears to me it is a network disk (or with bays to insert extra disks) and that network disk is

similar to the W20112 server (It runs W7) so it may be regarded as a server with all server tools available, or simply a hard drive.

It could be possible to recover on the W7 NAS-station, but make sure the OS do not overwrite anything, or it could be possible regarding the NAS as broken... and just restore the data like on any hard drive. This is why I advice you to contact a data shop for advices.

Not neccesarily that you follow them but you may get a second oppinion. I see the nas is about 330 USD  so it appears it was an invenstment in

both backup, convenient space to share data and an extra storage for more than one user.

Just be careful so you do not do any mistakes, and discuss the alternatives with your boss.

Regards

Edited by vilhavekktesla, 10 February 2016 - 05:23 PM.

Not really except general clues / advices. The first is to find out how it is built. How many harddrives it has, and where the data is stored.

That is why I advice you to contact a local store, to let tem investigate it, and give the best advices. You can always come back to BC and have your advices filtered, commented, and you have lots of time doing it correct, as the alternative is much worse.

I just checked a link on that NAS to get me an idea what it is.

I have a NAS my self, it is a netgear router, with a connection for a 4TB external hard drive. so I would treat the NAS a any normal harddrive.

You thought the NAS could be a Linux machine the link I found by search term: Synology DS214 said this

Synology DiskStation 2-Bay (Diskless) Network Attached Storage (NAS) DS214 (Windows 7 Professional) is a personal computer product from Synology America.

I searched with ducduckgo.com instead of google.

If it is W7 then most computershops / others should know how to handle it in the possible way in order not to recover any data in a way that makes it mor difficult to restor the rest. There are few things that must be know, and one is how much space is used. The less that is used the better is the chance for recovering, since then the OS (assuming W7 now) may have written different data on different locations on the disk. When the disk gets full, the OS wil overwrite already erased/deleted space, an this makes it more difficult to recover so again I advice you to search for help on Bleeping computer about data recovery, but most cosnult some local

people to help wth the recovery. And not to forget, make a backup of the already encrypted and not encrypted files so you have them.

Hope this helps a bit.

You thought the NAS could be a Linux machine the link I found by search term: Synology DS214 said this

Synology DiskStation 2-Bay (Diskless) Network Attached Storage (NAS) DS214 (Windows 7 Professional) is a personal computer product from Synology America.

I searched with ducduckgo.com instead of google.

 

If it is W7 then most computershops / others should know how to handle it in the possible way in order not to recover any data in a way that makes it mor difficult to restor the rest. There are few things that must be know, and one is how much space is used. The less that is used the better is the chance for recovering, since then the OS (assuming W7 now) may have written different data on different locations on the disk. When the disk gets full, the OS wil overwrite already erased/deleted space, an this makes it more difficult to recover so again I advice you to search for help on Bleeping computer about data recovery, but most cosnult some local

people to help wth the recovery. And not to forget, make a backup of the already encrypted and not encrypted files so you have them.

Synology DiskStations run on a proprietary fork of Linux called DSM. There was even a special ransomware that broke into certain vulnerable firmwares of them called "SynoLocker" at one time. We sell them where I work, but I'm not familiar with doing recovery on them for something like this - only worked on recovering from hardware failures really. You could try the usual techniques described in the FAQ, such as Recuva, PhotoRec, and ShadowExplorer. Other than that, backing up your data and hoping for a solution is the only option left.

https://en.wikipedia.org/wiki/Synology_Inc.#Synology_DiskStation_Manager_.28DSM.29

 

You thought the NAS could be a Linux machine the link I found by search term: Synology DS214 said this

Synology DiskStation 2-Bay (Diskless) Network Attached Storage (NAS) DS214 (Windows 7 Professional) is a personal computer product from Synology America.

I searched with ducduckgo.com instead of google.

 

If it is W7 then most computershops / others should know how to handle it in the possible way in order not to recover any data in a way that makes it mor difficult to restor the rest. There are few things that must be know, and one is how much space is used. The less that is used the better is the chance for recovering, since then the OS (assuming W7 now) may have written different data on different locations on the disk. When the disk gets full, the OS wil overwrite already erased/deleted space, an this makes it more difficult to recover so again I advice you to search for help on Bleeping computer about data recovery, but most cosnult some local

people to help wth the recovery. And not to forget, make a backup of the already encrypted and not encrypted files so you have them.

 

Synology DiskStations run on a proprietary fork of Linux called DSM. There was even a special ransomware that broke into certain vulnerable firmwares of them called "SynoLocker" at one time. We sell them where I work, but I'm not familiar with doing recovery on them for something like this - only worked on recovering from hardware failures really. You could try the usual techniques described in the FAQ, such as Recuva, PhotoRec, and ShadowExplorer. Other than that, backing up your data and hoping for a solution is the only option left.

 

https://en.wikipedia.org/wiki/Synology_Inc.#Synology_DiskStation_Manager_.28DSM.29

 

If it is linux running any EXTfs or other journalling file system, something tells me it can be accessed like a Linux system.

Then what is needed is someone with competence on Linux, like even the manufacturers. So one option could be to contact them for advices.

People are PMing me now, like the users jaisel (faker) and HLR7594 (nice guy) - and asking for the .zips and exploit links..

For me, in my personal opinion, the people want to get a new virus that is "hurting" some other people..

The user jaisel for me, in my personal opinion is a "faker" and the HLR7594 guy also uploaded some stuff, so i think he is maybe a nice IT guy who is triyng his best..

the user jaisel is just trashtalking about a conversation about a discount because he is poor.. for me its new that you have the *.micro tesla 3 and a chatbox will light up and you talk about a discount to the "cybercriminal" and its just 'okay, you get a discount'

- I will not send any links or information via PM, just to the admins, mods and users with a nice profile (more than 20 posts / registration date about 4 month+)

Edited by jimbo1337, 10 February 2016 - 05:55 PM.

 

 

You thought the NAS could be a Linux machine the link I found by search term: Synology DS214 said this

Synology DiskStation 2-Bay (Diskless) Network Attached Storage (NAS) DS214 (Windows 7 Professional) is a personal computer product from Synology America.

I searched with ducduckgo.com instead of google.

 

If it is W7 then most computershops / others should know how to handle it in the possible way in order not to recover any data in a way that makes it mor difficult to restor the rest. There are few things that must be know, and one is how much space is used. The less that is used the better is the chance for recovering, since then the OS (assuming W7 now) may have written different data on different locations on the disk. When the disk gets full, the OS wil overwrite already erased/deleted space, an this makes it more difficult to recover so again I advice you to search for help on Bleeping computer about data recovery, but most cosnult some local

people to help wth the recovery. And not to forget, make a backup of the already encrypted and not encrypted files so you have them.

 

Synology DiskStations run on a proprietary fork of Linux called DSM. There was even a special ransomware that broke into certain vulnerable firmwares of them called "SynoLocker" at one time. We sell them where I work, but I'm not familiar with doing recovery on them for something like this - only worked on recovering from hardware failures really. You could try the usual techniques described in the FAQ, such as Recuva, PhotoRec, and ShadowExplorer. Other than that, backing up your data and hoping for a solution is the only option left.

 

https://en.wikipedia.org/wiki/Synology_Inc.#Synology_DiskStation_Manager_.28DSM.29

 

If it is linux running any EXTfs or other journalling file system, something tells me it can be accessed like a Linux system.

Then what is needed is someone with competence on Linux, like even the manufacturers. So one option could be to contact them for advices.

 

I read some more on wikipdia:

Synology's software architecture allows for third-party add-on application integration. Hundreds of third-party applications are available in addition to Synology's own catalog. Command line access via SSH or Telnet is available. Access to development tools and APIs are also available on Synology's website. Third-party applications can be written in an interpreted programming language such as PHP or compiled to binary format. Public APIs allow custom applications to integrate into Synology's web-based user interface. Installers using the SPK format can install third-party applications directly on the DSM operating system.

If it is possible to connect to the system throug ssh there might be possibilities to find out more about the NAS, previous advices still stands.There are even some Linux forums on BC to discuss tools / methods.

Hi,

So i need to know how i can revover the files on the ds214 nas Server. Any clue?

Do you know the version of the DSM the NAS is running? If you login using the web interface it should be easy to find the version.

There is a forum related to the Synology product like this topic How to undelete files? I expect that extundelete on last post only work on older DSM.

The files on the NAS got encrypted because the files are accessible by using a mapped Network Drive?

Edit: On recent versions of the DSM the login page show the version.

Edited by SleepyDude, 10 February 2016 - 06:40 PM.

Hi peeps,

I am pretty sure I have been infected with TeslaCrypt 3.0 (the .micro) , as soon as I realised I had been infected, I killed the internet connection and have since just been using my computer via a Linux live USB, just so I can safely browse the internet etc.

As I understand it, there is currently nothing one can do about decrypting .micro files for now. I only have about 1-200 pictures that I would really like to save, the rest I don't care about and I am thinking about getting rid of Windows permanently and moving to Linux full time, so to save with disinfecting my computer, if I just backed up those encrypted 200 pictures then reformat my computer, if (or when?) help is at hand to decrypt .micro files, would you know if that can be done from a Linux machine, or would it have to be done on Windows, or the same computer they came from?

And also, is there any way the the actual virus can attach itself to any of my encrypted photos etc, i.e. I don't want to accidentally infect a different computer by storing my [encrypted] photos on there whilst waiting for help.

Does it look likely that the .micro files will ever be able to be decrypted? Or is it known that its totally uncrackable?

Many Thanks,

Edited by PishedOff, 10 February 2016 - 06:48 PM.

...Does it look likely that the .micro files will ever be able to be decrypted? Or is it known that its totally uncrackable?