Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New TeslaCrypt Ransomware sets its scope on video gamers


  • Please log in to reply
263 replies to this topic

#61 jpwowee

jpwowee

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:56 AM

Posted 10 April 2015 - 03:19 PM

The encrypted files themselves aren't a threat, no. They do not hold the malicious encrypting executable in them and won't trigger an encryption if you execute them.


Ok, thanks for confirming!

BC AdBot (Login to Remove)

 


#62 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 10 April 2015 - 03:23 PM

No problem :) If you want, you can read the FAQ of the other Cryptowares such as CryptoLocker, CryptoWall, CryptoDefence, etc. While there is difference between each of them, the concept stays pretty much the same.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#63 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:56 PM

Posted 10 April 2015 - 03:52 PM

The first page of this topic explains the major differences between TeslaCrypt and other ransomware variants.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#64 modctek

modctek

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 13 April 2015 - 02:57 PM

We had a client get this on her computer 3 days ago. We have dealt with Cryptolocker and Cryptowall. We have been fairly successfully using backups from shadow copies and Backup Exec. This last client got Teslacrypt on an administrators computer and she logged into her computer with her domain admin rights. This gave the virus full access to all shares and all shadow copies. Backup Exec has been failed since December. The client has now lost all of their documents form this year. Two questions, 1. Has anyone been able to successfully decrypt these .ecc files. 2. Has anyone successfully paid the ransom. 

We paid the ransom. Got the decrypter, but it did not work. I wouldn't recommend it at this point, as I've yet to read about anyone with this particular variant getting their files back after paying the ransom.



#65 TomCrick

TomCrick

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 17 April 2015 - 09:06 AM

Having been infected with Teslacrypt I am extremely hopeful that Fabian (who first discovered this ransomware variant in the first place) can do his magic and break this one as he has so successfully done for cryptolocker? I and many others would be eternally grateful if he could help us recover our encrypted files.

 

yours hopefully

 

 

Tom



#66 ache

ache

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 18 April 2015 - 03:25 PM

I also have a 232 bytes big RECOVERY_KEY.txt file with hex characters across 3 lines. I will happily share it along with some encrypted file(s) if it could help decrypt them or find a private key for everyone.



#67 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 18 April 2015 - 03:30 PM

This isn't how it works ache. Usually, a private key is unique, which means that it can only be used once and isn't re-used after. If there was a "master private key", it would be one, big, flaw in TeslaCrypt and I doubt the author would do something like that. Here a bit of reading if what I explained wasn't too clear, Cryptography isn't my speciality I just know the basics :P

https://en.wikipedia.org/wiki/Public-key_cryptography

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#68 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:56 PM

Posted 18 April 2015 - 04:08 PM

I also have a 232 bytes big RECOVERY_KEY.txt file with hex characters across 3 lines. I will happily share it along with some encrypted file(s) if it could help decrypt them or find a private key for everyone.

At this time there is no fix tool and no way to decrypt the files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#69 ache

ache

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 18 April 2015 - 04:49 PM

Anyway has any RECOVERY_KEY.txt file been analysed or are you ignoring such findings? Perhaps at least it would let decrypt the files of users who have such file?


Edited by ache, 18 April 2015 - 04:49 PM.


#70 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:56 PM

Posted 18 April 2015 - 04:57 PM

RECOVERY_KEY.txt is a known file left by TeslaCrypt. HELP_TO_DECRYPT_YOUR_FILES.txt, HELP_TO_DECRYPT_YOUR_FILES.bmp are other known files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#71 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 18 April 2015 - 05:08 PM

BleepingComputer is making the news once again :)

https://threatpost.com/ransomware-teslacrypt-still-targeting-gamers/112304

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#72 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:56 PM

Posted 19 April 2015 - 04:32 PM

If you are affected by TeslaCrypt, please do not pay the ransom. I am hoping for a solution in the near future. Unfortunately, I am not at liberty to say anything else at this moment. I repeat ... do not pay the ransom.

#73 Callaway1027

Callaway1027

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 20 April 2015 - 11:12 AM

Hey grin, my mother recently got this on her computer and after searching through cryptolocker threads I finally found this. It is the exact thing she has and all of her files are, well, clearly encrypted. I have removed the virus/ransomware manually & proceded to let Malewarebytes do its thing. Other than the annoying "HELP_RESTORE_FILES.txt" being in every folder (which im going to remove with a dupeout program), the rest of the virus is completely gone. Problem is, you guessed it.. nothing I try will decrypt her files. Currently I updated her antivirus, added Malewarebytes pro version, and added ASC 8.1 pro on there to help keep her protected. Please if you find anything out on how to get ahold of a decryption key it would be greatly appreciated.



#74 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:56 PM

Posted 20 April 2015 - 11:54 AM

Hi Callaway1027 :)

I'm just going to recommend you to uninstall Advanced System Care since it's not a viable solution to protect a system.

warning.gifIObit Software Warning!
I noticed that you have programs from IObit installed on your system. IObit have been accused in the past from using shady techniques in order to promote and enhance their products, one of which was to steal Malwarebytes' definition database to include it in their "Antimalware", IObit Malware Fighter. On top of that, their main product, Advanced SystemCare, goes into the "PC Booster" category of program, which are useless programs since there's no proofs or facts that these actually boost the performance of a system, and are borderline "scamware". In fact, these programs have a tendency to cause a variety of issues under Windows, that can be solved by uninstalling the software, ironic isn't it? Most of their features can be replaced by using other programs, often, utilities that requires no installation or that are already "built-in" inside Windows. Therefore, I strongly suggest you to uninstall every IObit program you have installed on your system before we continue. You are free to reinstall them after I'm done assisting you if you wish to ignore my warning above.

Relevant articles:warning.gifPC Booster/Tune-Up Program Warning!
"PC Booster/Tune Up" programs are part of the worst programs you can install on a system. When it comes to messing up your system (Windows), these are as worst as malware. They are completely worthless and useless to use. The worst is that they'll often take action on your system without you knowing, nor authorizing it, which could lead to your system being altered in a way you don't want it to be or even worst, a "broke" system. Every feature they provide, you can either do it natively under Windows, do it via another standalone executable (which is way easier and safer to use) or they aren't providing something you need. Here's a few examples:
  • Cleaning temporary files: TFC (standalone executable), CCleaner (installed), Cleanmgr.exe (in-built);
  • Managing start-up entries: Autoruns (standalone executable), CCleaner (installed), Task Manager and Registry (in-built);
  • Driver Updater: Not needed, all you need is to go on your manufacturer website so you'll be sure to get the right, official, working drivers for your computer or hardware;
  • Registry Cleaner/Defragger: Completely useless and also dangerous;
  • Disk Defragging: Disk Defrag (in-built), O&O Disk Defrag (installed), Defraggler (installed);
  • Powerful uninstaller: Not needed, only needed when you have to make sure a program is completely uninstalled. Revo Uninstaller have a portable version you can use;
  • "Enhanced" Task Manager: Procexp (standalone executable), Process Hacker (portable or installed);
  • "Active security": Any Antivirus and Antimalware can beat that, easily. These programs aren't made to replace Antivirus or Antimalware products and shouldn't be seen as such;
  • Repair Hard Drive issues: Simple chkdsk /r command under Windows (in-built);
Having such program installing on your system will just bloat it down and you have more chances to have issues by using them than without. These products are advertised as a program that can solve all your issues, remove every malware, speed up your computer performance over 100%, etc. The truth is that there's not a single program that can do that. First of all, these programs aren't made to remove virus and malware, leave this in the hands of Antivirus and Antimalware, period. Secondly, there's so many kind of issues under Windows that there's not a single program that can address them all. If you think that BSOD (Blue Screen of Death) issues can be solved by opening a program and clicking on a "Fix" button, then I'm sorry to tell you but, you're wrong. Also, you cannot boost the performance of a hardware over it's hardware capabilities. Of course you can overclock some components, like your CPU, RAM and GPU, but these aren't done via these programs, but via your BIOS interface. I could recommend you a program for every feature these programs advertise, and also tell you exactly in detail why most of them are completely useless, such as Registry cleaner (dangerous to use), and driver updater (dangerous to use, and also completely useless, it'll not improve your system performance). In the end, buying such programs is the exact same as being scammed (because this is what it is, a pure scam) and using one of these programs will result you in having a system less performant than prior to using it.

Relevant articles if you want to read more about PC Boosters/Optimizers and why they are useless:If you want to protect your mother's computer, I strongly suggest you to install a good Antivirus program (it's a must), and if you want to prevent this situation from happening again, you can always install a program against Cryptoware, like:

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#75 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:56 PM

Posted 20 April 2015 - 01:42 PM

... Please if you find anything out on how to get ahold of a decryption key it would be greatly appreciated.

If you have subscribed to this topic...then you will receive email notifications of all new replies, including updates by Grinler.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users