Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Fake job recruiters hide malware in developer coding challenges

Featured Deal: Pay once and get 1TB of Koofr cloud storage for life

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

New TeslaCrypt Ransomware sets its scope on video gamers

Started by Grinler , Feb 27 2015 12:00 PM

  • Please log in to reply
263 replies to this topic

#226 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,548 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:55 AM

Posted 19 May 2015 - 05:06 AM

it seems that teslacrypt has deleted the key.


It worked, storage.bin was decrypted and checked, but unfortunately your decryption key was already destroyed by TeslaCrypt. TeslaCrypt destroys decryption key when all of your files were encrypted. When this happens I can't recover your decryption key from data file without TeslaCrypt's writters private key.
When decryption key can't be recovered I recommend to backup up all your encrypted files, data file (key.dat or storage.bin) and recovery_key.txt or recovery_file.txt and wait for another solution.

http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/?p=3710250

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 

#227 mehrdad63

mehrdad63

  • Avatar image
  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:06:25 PM

Posted 19 May 2015 - 05:31 AM

doesnot work for me and:

 

Loading data file from >> C:\Users\farhad\AppData\Roaming\key.dat
Data file version 3 recognized.
ERROR - Decryption key is not present in data file.
Decryption key was destroyed by TeslaCrypt.
Unfortunately this tool can't recover decryption key. :-(

:(  :(  :(  :(  :(  :(  :(  :(  :(  :(


Edited by mehrdad63, 19 May 2015 - 05:32 AM.

#228 buto

buto

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:04:55 PM

Posted 19 May 2015 - 10:11 AM

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).

 

 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]

Edited by buto, 19 May 2015 - 10:14 AM.

#229 BloodDolly

BloodDolly

  • Avatar image
  • Security Colleague
  • 526 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Slovakia
  • Local time:03:55 PM

Posted 19 May 2015 - 10:15 AM

 

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).

 

 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]

 

Go trolling somewhere else or give me a proof.


Edited by BloodDolly, 19 May 2015 - 10:15 AM.

#230 Aura

Aura

    Bleepin' Special Ops


  • Avatar image
  • Malware Response Team
  • 19,709 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:10:55 AM

Posted 19 May 2015 - 10:18 AM

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).
 
 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]


buto, can you tell us which Antivirus/Antimalware gave you this detection on BloodDolly's executable? It's most likely a false positive.

animinionsmalltext.gif

#231 buto

buto

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:04:55 PM

Posted 19 May 2015 - 10:20 AM

 

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).
 
 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]


buto, can you tell us which Antivirus/Antimalware gave you this detection on BloodDolly's executable? It's most likely a false positive.

 

http://www.avira.com/de/support-threats-description/tid/7815/tlang/en


#232 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Avatar image
  • Admin
  • 45,381 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 AM

Posted 19 May 2015 - 10:21 AM

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).
 
 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]


I tested this program before allowing it to remain posted. Do you think I would have created a news article and allowed it to be used if it was a computer infection?

The program is safe to use.

Lawrence Abrams

Join our Official Discord Chat Server!

Follow us on Twitter!
Follow us on Facebook

#233 bappy

bappy

  • Avatar image
  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:10:55 AM

Posted 19 May 2015 - 10:21 AM

Hats off to BloodDolly.  After some careful research, I was able to d/l and use the TeslaDecoder and located and pointed to the decryption key, and was able to decrypt several thousand files that were previously encrypted and unusable.

 

I am so impressed, and I suppose a little lucky!!

 

Thanks again.

 

If you need details, please let me know.


#234 buto

buto

  • Avatar image
  • Members
  • 4 posts
  • OFFLINE
    •  
  • Local time:04:55 PM

Posted 19 May 2015 - 10:26 AM

 

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).
 
 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]


I tested this program before allowing it to remain posted. Do you think I would have created a news article and allowed it to be used if it was a computer infection?

The program is safe to use.

 

So why does his software have malware characteristics and the TeslaDecrypter not? They should do the same job. And he's able to change to content of the zip like he wants. Maybe you've checked the first version, without any malware.

Because the first Version has no malware characteristics... I checked it.


Edited by buto, 19 May 2015 - 10:30 AM.

#235 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Avatar image
  • Admin
  • 45,381 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 AM

Posted 19 May 2015 - 10:35 AM

So why does his software have malware characteristics and the TeslaDecrypter not? They should do the same job. And he's able to change to content of the zip like he wants. Maybe you've checked the first version, without any malware.


I tested the latest version yesterday. No issues.

Heuristics can be finicky and commonly cause false positives. Could be something as simple as a decryption routine that mimics the same one from the teslacrypt client that is causing this.
 

Because the first Version has no malware characteristics... I checked it.


And what are these malware characteristics? Other than the scan results, which are not always trustworthy.

Lawrence Abrams

Join our Official Discord Chat Server!

Follow us on Twitter!
Follow us on Facebook

#236 BloodDolly

BloodDolly

  • Avatar image
  • Security Colleague
  • 526 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Slovakia
  • Local time:03:55 PM

Posted 19 May 2015 - 10:37 AM

 

 

The TeslaDecoder provided by Bloodydolly is infected with a virus(or to be specific with malware). So be careful using stuffs of ppl. who have only 32 Posts in summary :-).
 
 'C:\Users\xxx\Desktop\TeslaDecoder\TeslaDecoder.exe' : 'HEUR/APC (Cloud)' [HEUR/APC]


I tested this program before allowing it to remain posted. Do you think I would have created a news article and allowed it to be used if it was a computer infection?

The program is safe to use.

 

So why does his software have malware characteristics and the TeslaDecrypter not? They should do the same job. And he's able to change to content of the zip like he wants. Maybe you've checked the first version, without any malware.

Because the first Version has no malware characteristics... I checked it.

 

Reverse it and you will see that nothing malicious is there. I am not going to comment a FP of an antivirus that detected itself in the past.


#237 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Avatar image
  • Admin
  • 45,381 posts
  • ONLINE
    •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 AM

Posted 19 May 2015 - 10:39 AM

FPs are gone if they were there.

Clean bill of health from VT:

https://www.virustotal.com/en/file/ffcad7de711c83a1c299fed2df06afa4aab76e86c2122b15ca9f361d1d8ee7cc/analysis/1432049794/

Lawrence Abrams

Join our Official Discord Chat Server!

Follow us on Twitter!
Follow us on Facebook

#238 staar

staar

  • Avatar image
  • Members
  • 3 posts
  • OFFLINE
    •  
  • Local time:11:55 PM

Posted 21 May 2015 - 09:46 AM

https://www.virustotal.com/en/file/7079a5f9465d3e91f6c203663804764ee32e8df41f6d39f0f66f40a775123226/analysis/1432219331/

 

Detection ratio: 1 / 57

Tencent Trojan.Win32.Qudamah.Gen.0 20150521

 

Might be a false positive?!

because it does decrypt the couple files i've tested so far!!!

 

what do you think?


#239 BloodDolly

BloodDolly

  • Avatar image
  • Security Colleague
  • 526 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Slovakia
  • Local time:03:55 PM

Posted 21 May 2015 - 10:26 AM

https://www.virustotal.com/en/file/7079a5f9465d3e91f6c203663804764ee32e8df41f6d39f0f66f40a775123226/analysis/1432219331/

 

Detection ratio: 1 / 57

Tencent Trojan.Win32.Qudamah.Gen.0 20150521

 

Might be a false positive?!

because it does decrypt the couple files i've tested so far!!!

 

what do you think?

FP


#240 DCASS

DCASS

  • Avatar image
  • Validating
  • 2 posts
  • OFFLINE
    •  
  • Local time:10:55 AM

Posted 22 May 2015 - 12:28 PM

I have EXX files on my server, though the server doesn't appear to be infected

and the PC that was infected had no server drives mapped.

 

I copied the key that Tesladecoder was showing when I cleaned the infected PC

Is there a way to use that to clean the files on the server?

Does Tesladecoder delete the registry key after cleaning the system?


Back to Archived News


2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. General Topics
  3. Archived News
  4. Privacy Policy
  5. Rules ·