Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt


  • Please log in to reply
2208 replies to this topic

#196 veronemilie

veronemilie

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 October 2015 - 01:54 PM

Hi a friend got the .aaa version of the TeslaCrypt I have his crypted files backed up (as he OF COURSE didn't have any kind of back up :bang head: ) I have subscribed to this thread & hopefully someone will find a way to decrypt Tesla soon :) Thanks for all your hard work trying to fix this :)



BC AdBot (Login to Remove)

 


#197 Rhodsey

Rhodsey

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 October 2015 - 02:33 AM

Hello there.

 

First post.  Little background. I work on A Service desk for a company and back in March we had a user become infected with Ransomware.  All of his data was encrypted with a .ECC file extension and a ransom note was added to his desktop wallpaper pointing us towards the TOR browser and a Darkweb site to get the key.  Obviously this was way back in March before the Virus was analysed and this tool was created so at the time there wasn't much advice available other than rebuild computer and restore from backups so, as we assumed we had a full backup of his data, we had the machine wiped and rebuilt to clear the virus and then raised a request for his data to be restored from a date prior to the encryption.

 

Long story short The backup was recovered but from the incorrect date (when the data was already encrypted) and, thanks to outsourcing, the Backup team only keep 60 days worth of backups so by the time they restored it and the customer got around to checking it (he travels a lot) any clean data had been wiped over and wasn't retained.

 

We have a full copy of all the encrypted data but obviously, because the machine was rebuilt, we lost the files the virus will have put on the computer (i.e. no key.dat file) meaning the programs cannot find it to unencrypt.

 

I appreciate it is a long shot but, since this is an early version of the Ransomware from March this year, is there anyway of unencrypting these files if the key.dat file is not available?


Edited by Rhodsey, 06 October 2015 - 02:35 AM.


#198 Tac Ke

Tac Ke

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southest Asia
  • Local time:10:36 PM

Posted 19 October 2015 - 09:14 AM

Is there a possibility that the Cure Solution will come out in the future ? (The authorities would find out the criminal servers....)

I know the truth is that it is user fault to let the virus leak in the system and everyone should have back up etc ...however there are some situations like even the back up files got virus in accident; the payment takes over time to consider thus the destroy of private key

Even the only tool to decrypt files "This tool can decrypt files encrypted with Tesla/AlphaCrypt,can be done only when encryption did not finish" Sorry but How Ironic,,,this is nothing but likely we are robbed the whole laptop



#199 Hellos

Hellos

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 23 October 2015 - 02:43 AM

Dear Grinler, 2 days ago my computer is infected with this "things" now my computer is encrypted with ccc extention, all of my office are encrypted with that, i wonder if you can help me solve to decrypt it, because i accidentally clicking the internet explore browser, and it's automatically installed something some script into my computer, i will send you the examples file



#200 BloodDolly

BloodDolly

  • Security Colleague
  • 483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:36 PM

Posted 23 October 2015 - 04:06 AM

Dear Grinler, 2 days ago my computer is infected with this "things" now my computer is encrypted with ccc extention, all of my office are encrypted with that, i wonder if you can help me solve to decrypt it, because i accidentally clicking the internet explore browser, and it's automatically installed something some script into my computer, i will send you the examples file

Unfortunately there is no solution for .ccc variant of TeslaCrypt. This variant can be decrypted only by their private key except your randomly generated and never stored private key.



#201 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 23 October 2015 - 04:13 AM

 

Dear Grinler, 2 days ago my computer is infected with this "things" now my computer is encrypted with ccc extention, all of my office are encrypted with that, i wonder if you can help me solve to decrypt it, because i accidentally clicking the internet explore browser, and it's automatically installed something some script into my computer, i will send you the examples file

Unfortunately there is no solution for .ccc variant of TeslaCrypt. This variant can be decrypted only by their private key except your randomly generated and never stored private key.

 

HI. BloodDolly, is ccc variant never stored private key? How they could encrypting files without stored private key?


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#202 BloodDolly

BloodDolly

  • Security Colleague
  • 483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:36 PM

Posted 23 October 2015 - 04:42 AM

 

 

Dear Grinler, 2 days ago my computer is infected with this "things" now my computer is encrypted with ccc extention, all of my office are encrypted with that, i wonder if you can help me solve to decrypt it, because i accidentally clicking the internet explore browser, and it's automatically installed something some script into my computer, i will send you the examples file

Unfortunately there is no solution for .ccc variant of TeslaCrypt. This variant can be decrypted only by their private key except your randomly generated and never stored private key.

 

HI. BloodDolly, is ccc variant never stored private key? How they could encrypting files without stored private key?

 

TeslaCpryt ccc variant stores only public key of SHA256 of generated private key of bitcoinaddress. Private key can be shown only when it is calculated in memory as openssl BN, so it is in allocated memory so you have to dump the whole process memory space if you want to catch it and after SHA256, public key and ECDH shared secret with their hardcoded public key is calculated (this information is sent to their server) from this number, it is discarded. Files are encrypted by another random generated private key and this key is only available in allocated memory during the encryption process. File header and recovery_file contains only public keys and ECDH shared secrets with public key of SHA256 of bitcoin address.

So if you want to decrypt your files you need to know their private key or private key of your generated bitcoin address or SHA256 of this number or each single private key generated for your files (this can be 1 or more numbers).


Edited by BloodDolly, 23 October 2015 - 04:44 AM.


#203 crisis2k

crisis2k

  • Members
  • 121 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:36 PM

Posted 23 October 2015 - 05:05 AM

SHA256 is the one of the hash algorithm what i know, but also i know it is useless to decrypt something at this circumstances.

I always thanks for your brilliant achievement that already you have been made.

this is so sad news for me and for others, but I always thanks to you, and I won't give up.


:welcome: My Name is Philip You Can Call Me Phil
Thank You I'll be there anytime you need help :rolleyes:


#204 dkn193

dkn193

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:36 PM

Posted 30 October 2015 - 05:47 AM

Link die, please reupload TeslaDecoder

Thanks



#205 BloodDolly

BloodDolly

  • Security Colleague
  • 483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:36 PM

Posted 30 October 2015 - 10:08 AM

Link die, please reupload TeslaDecoder

Thanks

According to dropbox it generated too much traffic and they temporarily disabled all my shares. :-/



#206 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 30 October 2015 - 10:10 AM

Since TeslaDecoder is recognized by BleepingComputer, wouldn't it be possible to ask Grinler to host it? Or do you update it way too often for that?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#207 Isgratte

Isgratte

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:36 AM

Posted 30 October 2015 - 06:54 PM

Hello I would like to download the tool to see if it isn't too late for nephew's PC  but the link doesn't seem to work anymore.

 

Thanks

 

Sorry , didn't notice the latest few posts and dunnot know how to delete my post


Edited by Isgratte, 30 October 2015 - 07:00 PM.


#208 BloodDolly

BloodDolly

  • Security Colleague
  • 483 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:05:36 PM

Posted 01 November 2015 - 06:49 PM

Thanks to Grinler TeslaDecoder is hosted by BleepingComputer. :-)

Link for download of latest version of TeslaDecoder
http://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip
 



#209 quietman7

quietman7

    Bleepin' Gumshoe


  • Global Moderator
  • 54,674 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:36 AM

Posted 01 November 2015 - 07:16 PM

Grinler also updated the first page of this discussion topic with the changelog and download links. :thumbup2:
.
.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#210 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 AM

Posted 01 November 2015 - 07:38 PM

Thanks to Grinler TeslaDecoder is hosted by BleepingComputer. :-)

Link for download of latest version of TeslaDecoder
http://download.bleepingcomputer.com/BloodDolly/TeslaDecoder.zip


This will make it much easier for the users to download the latest version of your tool and run it, good job :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users