TeslaCrypt ransomware changes its name to Alpha Crypt

Hello everybody,

today a friend of mine called me to help him. After I've googled a bit, I found tesladecrypt provided by cisco. Unfortunately it didn't work for me. Here is my Situation:
a) Files have the endings: "*.ezz.exx"
b ) Renaming and trying to decrypt with tesla didn't work.
c) I have the key.dat, where the masterkeys can be extracted.

d) later on i'll check whether there is a storage.bin

If I can provide any files or information that leads to a solution, then please contact me. I just copied all necessary files to another system. The infected one has still the malware on it.

I assume that my friend got encrypted with AlpaCrypt (because of ezz) but I wonder why its ".ezz.exx" ?

Hope you guys will find a way to decrypt those files.

Thank you!

Edited by buto, 15 May 2015 - 10:55 AM.

Hi mehrdad63

Except for BloodDolly's decrypter and the CISCO's Talos Group decrypter for TeslaCrypt and not AlphaCrypt, there's no news so far. As soon as there is an update, Grinler will post about it.

Thanks aura

All my files ended by .EZZ   this is  TeslaCrypt or AlphaCrypt?

Thank you 

the files on my PC ended .EZZ - the cisco teslacrypt remover had no effect on them, but BloodDolly's file cleaned them up.

The good news is that if you are infected with TeslaCrypt (.ECC file extensions only) then it may be possible to decrypt your files for free. On April 27, 2015 the Cisco Talos Group posted an analysis of the TeslaCrypt ransomware along with a tool that may allow you to decrypt your files for free. The tool relies on certain information being stored in the %AppData%\key.dat file. If the tool is able to extract your key from the key.dat file, it will prompt you to decrypt your data. Unfortunately, the decryption key is sometimes stripped from this file making decryption not possible. The developer hopes to be able to use other methods in the future to retrieve the decryption key. Unfortunately, this method does not work for files encrypted with a .EXX extension.

Edited by Aura., 15 May 2015 - 12:19 PM.

the files on my PC ended .EZZ - the cisco teslacrypt remover had no effect on them, but BloodDolly's file cleaned them up.

Hi dinoman

the files on my PC ended .EZZ too

BloodDolly's file give  me this message:

Loading data file from >> C:\Users\farhad\AppData\Roaming\key.dat
Data file version 3 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(

i'm hoppy solved   it.  

Hy to all, i'm new...

I'm confused.

I have two hard drives infected with alphacrypt and all file are encrypted and renamed in * .ezz

I tried new tool but the message is:

Loading data file from >>key.dat
Data file version 4 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(

If i open the TESLADECRYPTER, on the contrary, the master key is recognized correctly in the key.dat

Why??  

Hy to all, i'm new...

 

I'm confused.

 

 

I have two hard drives infected with alphacrypt and all file are encrypted and renamed in * .ezz

 

 

I tried new tool but the message is:

 

Loading data file from >>key.dat
Data file version 4 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(

 

If i open the TESLADECRYPTER, on the contrary, the master key is recognized correctly in the key.dat

 

Why??  

Tesladecrypt from Talos doesn't verify if the 32B number it founds at one of two offsets (0x177 and 0x1DB) is the key or random data. That is the reason why it shows you that tesladecrypt found master key, but it found only random data. My tool always verifies the key what found with bitcoin address.
In your case the key was overwritten with random data because encryption of all your files finished. Unfortunately there is no way how to help you and you just have to wait for another solution.

BloodDolly you have saved a years worth of work!  Many thanks.  My backup drive was connected and backing up when I got hit so only some of that was unencrypted.

Your program often says it is not responding but it is still working in the background so if anyone else is using it just let it work and come back later.  So far I have managed to recover everything with no issues.  

Best regards from the UK!

Hi to all,

On friday I was able to decrypt all my network files .exx with the posted tool by BloodDolly (thank you !!!).

Today, monday,  i have new encrypted files .exx encrypted in my network, but de storage.bin have a new format and the utility posted by BoodDolly can't decrypt the files.

The new format of the storage.bin has changed, doesn't have the bidcoin on the beggining of the storage.bin ...

Can someone help me ?

thank you !!

Hi to all,

On friday I was able to decrypt all my network files .exx with the posted tool by BloodDolly (thank you !!!).

Today, monday,  i have new encrypted files .exx encrypted in my network, but de storage.bin have a new format and the utility posted by BoodDolly can't decrypt the files.

The new format of the storage.bin has changed, doesn't have the bidcoin on the beggining of the storage.bin ...

Can someone help me ?

thank you !!

What version of my Tesla Decoder did you try? I am updating my tool everytime I am able to see a new version of TeslaCrypt. Current version is 0.0.51. The link is the same.
http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0

 

Hi to all,

On friday I was able to decrypt all my network files .exx with the posted tool by BloodDolly (thank you !!!).

Today, monday,  i have new encrypted files .exx encrypted in my network, but de storage.bin have a new format and the utility posted by BoodDolly can't decrypt the files.

The new format of the storage.bin has changed, doesn't have the bidcoin on the beggining of the storage.bin ...

Can someone help me ?

thank you !!

What version of my Tesla Decoder did you try? I am updating my tool everytime I am able to see a new version of TeslaCrypt. Current version is 0.0.51. The link is the same.
http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0

 

I use TeslaDecoder - 0.0.51 and I also tried 0.0.45 version:

Trying to load data file from disk...
ERROR - Data file not found.

*** You can load data file manually by clicking on Load data file button. ***

Loading data file from >> W:\op_virus\storage.bin
Data file version 4 recognized.
ERROR - Decryption key is not present in data file.
Unfortunately this tool can't recover decryption key. :-(

storage.bin format:

kçìd—øçÂCoµàó¦N ¿‚BV_§D"Øj›Ä»K[£    ¤ÝÓIÁ1n²àý¿ž½E²ú”Ê1n²àý¿ž½E²ú”Ê1n²àý¿ž½E²ú”Ê    ÈjˆŒÜA¥`¾þh4…ß2    ÖŒ1XZ¨C=vVŽ‚ôôÈËô$ój—TÿÉëæ¼,€xÐPý—[/r-3on¥¿!‘à{ÔœžÏ6ºC^ùÌÉXÍD±vB™UÂtƒD‹þ&€…€¨ªWOdi7ýÝJ±Sç“Á+ÎÒ(7"1ÒÚo·GîÇÿ«—ôÞWúHëx÷„¤qAúFjL„ö÷RøÔÕ ÏOy÷€‹¤1n²àý¿ž½E²ú”Ê1n²àý¿ž½E²ú”Ê1n²àý¿ž½E²ú”Êô
F”´ö„U"Ÿ~'O¡•˜Å¹R.{½&õ±wÄ·­BðE]û1ïœ#óÕ3@3oßÿäð"Ûä,¤`ž@ÇÖ´u ¸’
¸R|šŠx=Ñ£‘ßö¨¿Ýì~®X¤W]Ú‚ŒRVîØ›qæS–«¤ÊªÐç’_½Éún¡9ؤj?:’HÇTg‘Ÿß~uÁî/òIqÑÃ%É·æ´ÒÊ`§®y·ô¬õȹµÑ5£&Çe¬ü¨A`ÍF
ÒlîÚgäváN+,*ô°*)‹å%¸~/›÷œ¹Uôt'ý
ùM¡M6ÑDDEíakcþ›‘DR¢ªÎ³âè•VŸ!]5|¥1VZ”~òn¹´çSÔ¤»kÓàØû¯q7ÆJ|Ÿ¨ò:Àš‡ÿ‘ÉÃØhBià4AXdÏó¦ï
´zQ
>{ØÚ «-:s´=M«w„̪¸–Gsg®ª™ï9Ä<[X»ÄÃ!÷ÇKJ[Á–W¤Lf|÷ôVÝ#ÄôI̲Ã9Á{æÝløûê|É<ÊLJÄ1Iƒ‘Ë—©ýùù¾W*ê…œ÷%ŽbŠUû{¬º³8˜
 

Recovery file:

1C9h6hMhfmqZzeWkptnUPSVGXfkxBhuxW2
B3357C0A8D903947250E21351EE9BCAC1F42BF43705053516D5643EFA7A89319
4660EB7F58E3380EC215235D8603C00824602285C24D1042699D8210CB638DCE74D440D56A195161951259A6FD994058B0BFDC39A20A4C3EAB40DD0548ADD700
 

Thank's BloodDolly,

since the 14/05 i've been infected by this sh.. malwares, i've searched many hours on internet before i found this threat. All my files have the exx extension and are encrypted but i not found any key.dat or storage.bin files on my computer. I seached in the deletd files with recura and Getdaback but i don't find any key file. Is there a way that i can decrypt my data ?