TeslaCrypt ransomware changes its name to Alpha Crypt

I also found a file called "guvpahh.exe" in my msconfig -> startup which i didnt recognized before

 

I also found a file called "guvpahh.exe" in my msconfig -> startup which i didnt recognized before

Do you still have this file? If so, you could upload it on BleepingComputer so the Security Experts here could take a look at it.

http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

unfortunately, i deleted the file, but was able to restore it with the program "restoration", but it looks like its not complete. i have uploaded the file, but maybe others should have a look in "windows -> system32" to find it there (or try searching it).

Edited by Fleeps, 14 May 2015 - 09:43 AM.

I'm pretty sure I have a copy of the original .exe that encrypted all the files.

I will check this out when I get home from work, fingers crossed...
Any admin verified yet?

hi
i use it ,but dont work and give me this report:
 
((Loading data file from >> C:\Users\farhad\AppData\Roaming\key.dat
Data file version 3 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(  ))
 
 

Hello Aura,

Do you know if the file that BloodDolly is offering, has been reserched to be valid?

I am running scared since all the damage that the virus has caused. I would not like to introduce some other unwanted trojan or virus.

Thank you to the whole team.

BloodDolly's file is safe, whether it will work for you is another question.  I am currently testing this file with my infected computer. 

Edited by spidertip, 14 May 2015 - 12:58 PM.

Hello Aura,

Thanks for the info.

And also Thanks to BloodDolly. I unfortunately was unsuccessful. It could not recover the encryption code.

Thanks again and hope there will be other variants to crack it.

All my thumbs up for - 

It worked for me. I had to load the data.key file and select the folder to decrypt.  It asks if you want delete the original file after it cryption, choose yes because mine is copy of a copy.

Here is what I did:

1) Clicked Load data file -> Choose data.key

2) Clicked Decrypt Folder and selected a folder

It took about 1/2 hour for 34gb of data.  

I was infected May 1, with .ezz extension version. 

Got all my files back now.  Can't thank enough 

 

Ok Great. Thanks for your help guys. Hoping soon!

You can try to use my tool. Here is the link: http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0
It works only when decryption key is still present in data file (key.dat, storage.bin) or windows registry entries. Supported extensions are .ecc, .ezz, .exx.

 

Is there a way to use your tool with the RECOVERY_FILE.txt file?  I do not have the key.dat or storage.bin files.  The encrypted files in question have the .exx extension. The RECOVERY_FILE.txt contains the bitcoin address and two other strings 64 and 128 characters long.

Edited by gsmalleus, 14 May 2015 - 04:24 PM.

Is there a way to use your tool with the RECOVERY_FILE.txt file?  I do not have the key.dat or storage.bin files.  The encrypted files in question have the .exx extension. The RECOVERY_FILE.txt contains the bitcoin address and two other strings 64 and 128 characters long.

 

I am sorry, but it is not possible now. But I hope one day when those guys hidding behind Tesla/Alpha Crypt will be arrested it will be possible. You can only keep this file with your encrypted files stored somewhere for now.

BloodDolly - You are a legend! I cannot thank you enough! All files retrieved using your decrypter tool - i had the alphacrypt malware.  One day, justice will catch up with those behind these evil deeds! 

Thanks again

Hi guys

Is there new news??

my life stopped.............

Thank you very very much BloodDolly. Exam revision can recommence..