Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaCrypt (.VVV, .CCC, etc Files) Decryption Support Requests


  • Please log in to reply
4144 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,462 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:11 AM

Posted 05 January 2016 - 02:52 PM

This topic is to request help with decrypting files encrypted by TeslaCrypt. Encrypted files will be ones that have had their extensions changed to ecc, ezz, exx, xyz, zzz, aaa, abc, ccc, or vvv. In order to decrypt your files you can either attempt to do it yourself using the instructions given below or request help from a volunteer to do it for you. Please see the information below and choose the method you wish to use.


Useful information!
Unfortunately, this method will not work with TeslaCrypt encrypted files that have the .xxx, .ttt and .micro extensions.



How to crack your encrypted files yourself

For those who wish to try decrypting their own files, you can download TeslaDecoder and follow the instructions that are included in the download yourself. If you have a decent computer, then this is definitely the suggested method.

Instructions in Italian can be found here.


How to ask for help decrypting files encrypted by TeslaCrypt:

In order to request someone decrypt your files for you, you will need to register and validate a free account before you can reply to this topic.

Once you are registered, create a new reply to this topic requesting help. When creating the reply you should make sure you do the following steps.

Step 1: Start a Reply to this Topic

Click on the Reply to this Topic button and type in a request for help. Do not post the reply yet until you have followed all of the steps below.


Step 2: Check the Follow Topic Option

Be sure to put a checkmark in the Follow Topic checkbox as indicated by the image below so that you receive notifications when someone replies to this topic.
 

follow-topic.jpg



Optional Step 3: Share and include a link to an encrypted file.

If you include a link in your reply to an encrypted file it will make it easier for a volunteer to help you and thus you will receive help quicker. It is suggested that you only publicly share a link to a file that contains no personal information. A good candidate for a generic non-personal image are the files located in C:\Users\Public\Pictures\Sample Pictures folder.

If you have encrypted files there, or other non-personal files, you can share a link to a encrypted file by uploading it to SendSpace. When the file has been uploaded, you will be shown a screen stating that the upload was succesful as shown below.



sendspace-uploaded.jpg


The filename link is indicated by the red arrow in the image above.

Now right click on the filename link and select Copy Shortcut as shown in the image below.
 

sendspace-copy-shortcut.jpg


The shortcut you just copied should then be pasted into your reply requesting help.

Step 4: Post your topic and wait for a reply

When you have finished all of these steps, please click on the Add Reply button to post your request for help. Please remember that everyone who helps here is a volunteer, so please be patient while someone gets back to you. As always you can attempt to crack the file yourself by following the instructions in the TeslaDecoder file.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

  • Security Colleague
  • 1,774 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:11 AM

Posted 05 January 2016 - 02:56 PM

Other variants can be also requested, including .aaa and .abc. I think .xyz and .zzz as well.
 
*From BloodDolly's documentation, we can currently accept requests for the following extensions.

All versions from 0.3.4b to current 2.2.0.
Extensions of encrypted files: ecc (0.3.4b+), ezz, exx, xyz, zzz, aaa, abc, ccc, vvv

.

 
Note: There is no way of decrypting TeslaCrypt 3.0 .xxx, .ttt, .micro, or .mp3 variants at this time since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. Support for TeslaCrypt 3.0 is in this topic where you can ask questions and seek further assistance.

 

TeslaCrypt 3.0 - 4.2 CAN be decrypted using BloodDolly's TeslaDecoder. Please view the support topic for more information.


Edited by Demonslay335, 05 June 2016 - 05:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]


#3 Zublov

Zublov

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:11 AM

Posted 05 January 2016 - 05:22 PM

338

Thank you VirusD.

But it does not work:
ImportError: No module named CryptoCipher


The files you send me are different from those that I send , corresponding to another user.

Is that why the error ?

Thank you so much for your help.

I forwarding files :
https://goo.gl/Kdx6RP

Thanks.
 



#4 VirusD

VirusD

  • Members
  • 84 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 05 January 2016 - 05:25 PM

 

 

338

Thank you VirusD.

But it does not work:
ImportError: No module named CryptoCipher


The files you send me are different from those that I send , corresponding to another user.

Is that why the error ?

Thank you so much for your help.

I forwarding files :
https://goo.gl/Kdx6RP

Thanks.
 

 

The module, pyCrypto (64bit 32bit), has not been installed.


Edited by VirusD, 05 January 2016 - 05:26 PM.


#5 Googulator

Googulator

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 05 January 2016 - 05:51 PM

Early versions ecc/exx/ezz should be doable too, as long as you have either key.dat (with or without private key) or recovery_key.txt

#6 buicked

buicked

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:03:11 AM

Posted 05 January 2016 - 05:54 PM

Hey Buddies, I need some help. First decryting went well, but archives were encrypted with more than one key

When i factor the second key with Yafu it gives me all thes factors 

 

P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P1 = 3
P1 = 7
P2 = 13
P2 = 23
P2 = 43
P2 = 67
P2 = 73
P3 = 103
P3 = 347
P4 = 1877
P4 = 4759
P6 = 393997
P7 = 1540963
P12 = 706146735167
P15 = 584120456772631
P41 = 78673428939359542311802212035780140832119
P20 = 13525578570068500349
P13 = 4898465264327
P16 = 8659689308753911
 
When i run the unfactor.py script returns these errors
 
C:\Program Files (x86)\Python>python unfactor.py ImprimirCuentoinfantil1.pdf.vv
 2 2 2 2 2 2 3 3 3 3 3 3 3 3 7 13 23 43 67 73 103 347 1877 4759 393997 1540963
06146735167 584120456772631 78673428939359542311802212035780140832119 135255785
0068500349 4898465264327 8659689308753911
Traceback (most recent call last):
  File "unfactor.py", line 33, in <module>
    print(main(sys.argv[1], sys.argv[2:]))
  File "unfactor.py", line 20, in main
    for i in xrange(1<<len(primes)):
OverflowError: Python int too large to convert to C long
 
I assume that there is so many factors, but i don´t know how much should i use to run the script. Can someone help me?
 
Thanks in advance 


#7 gogi46

gogi46

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 January 2016 - 05:59 PM

Hello guys, Im a victim of Tesla  with the extension .vvv Is there any way to decrypt some/few important files? Can you help?

 

 

thank you very much in advance



#8 BloodDolly

BloodDolly

  • Security Colleague
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:11 AM

Posted 05 January 2016 - 06:00 PM

buicked: Download my TeslaDecoder and use TeslaRefactor, but you need corresponding public key so put an encrypted file to TeslaViewer.

Btw I would recommend to search for PrivateKeyBC and not PrivateKeyFile if this was that case.


Edited by BloodDolly, 05 January 2016 - 06:02 PM.


#9 Googulator

Googulator

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:11 AM

Posted 05 January 2016 - 06:03 PM

Ouch! Known Python 2.7 bug, xrange doesn't like big ranges. I thought we will never hit that limit in 64-bit Python, but unfortunately it seems it has the exact same 32-bit limit here. I'll upload a fix soon. In the meantime, try with Python 3.5 (plus appropriate version of pycrypto), which should have a fix for this.

#10 buicked

buicked

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:03:11 AM

Posted 05 January 2016 - 06:09 PM

buicked: Download my TeslaDecoder and use TeslaRefactor, but you need corresponding public key so put an encrypted file to TeslaViewer.

Btw I would recommend to search for PrivateKeyBC and not PrivateKeyFile if this was that case.

}Thanks BloodDolly 

. I´ve tried your suggestion but no success. Private Key Not found(Tried with BC an Public Key)



#11 BloodDolly

BloodDolly

  • Security Colleague
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:11 AM

Posted 05 January 2016 - 06:12 PM

 

buicked: Download my TeslaDecoder and use TeslaRefactor, but you need corresponding public key so put an encrypted file to TeslaViewer.

Btw I would recommend to search for PrivateKeyBC and not PrivateKeyFile if this was that case.

}Thanks BloodDolly 

. I´ve tried your suggestion but no success. Private Key Not found(Tried with BC an Public Key)

 

Check if calculated procuct match with original SharedSecret*PrivateKey or try to disable optimization.



#12 personmans

personmans

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 05 January 2016 - 06:16 PM

Hello,

I have a version 2.2.0 .vvv file infected machine and would appreciate any help with getting the private key.

 

 

Thank You,

Personmans



#13 buicked

buicked

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:03:11 AM

Posted 05 January 2016 - 06:20 PM

@Googulator

Thanks for the advice, i will try it and let you know if it works

 

Thanks for all docs and scripts!!! @VirusD thank you for so much help for all of us too



#14 gogi46

gogi46

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 05 January 2016 - 06:25 PM

buicked: Download my TeslaDecoder and use TeslaRefactor, but you need corresponding public key so put an encrypted file to TeslaViewer.

Btw I would recommend to search for PrivateKeyBC and not PrivateKeyFile if this was that case.

BloodDolly Can you help us please 
 
i get this message:

 

 

*** You can load data file manually by clicking on Load data file button. ***
*** You can decode Tesla's request by clicking on Decode request button ***
*** You can set decryption key by clicking on Set key button ***

Edited by gogi46, 05 January 2016 - 06:28 PM.


#15 BloodDolly

BloodDolly

  • Security Colleague
  • 434 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:08:11 AM

Posted 05 January 2016 - 06:38 PM

 

buicked: Download my TeslaDecoder and use TeslaRefactor, but you need corresponding public key so put an encrypted file to TeslaViewer.

Btw I would recommend to search for PrivateKeyBC and not PrivateKeyFile if this was that case.

BloodDolly Can you help us please 
 
i get this message:

 

 

*** You can load data file manually by clicking on Load data file button. ***
*** You can decode Tesla's request by clicking on Decode request button ***
*** You can set decryption key by clicking on Set key button ***

 

Check PM






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users