Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt


  • Please log in to reply
2201 replies to this topic

#676 betacire

betacire

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 17 January 2016 - 07:54 AM

hi all, i have below two cases (.vvv files), can anyone help me to get private key ?

 

Case1:

https://www.sendspace.com/file/ce0a5w

 

Case2:

https://www.sendspace.com/file/yqfonu

 

Thanks in advance.

 

Here is the key for decrypting Case2 :

77695620DEBC799355654664B0F81847715352A43B0D1B66C4F51A91E27D675D


Edited by betacire, 17 January 2016 - 07:55 AM.


BC AdBot (Login to Remove)

 


#677 al1963

al1963

  • Members
  • 886 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 17 January 2016 - 08:29 AM

if left error in calculating factors on yafu: "error generating or reading NFS polynomials", can continue the calculation on, or this calculation does not lead to the correct calculation of the factors?



#678 mcerdem

mcerdem

  • Members
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:İstanbul, Turkey
  • Local time:09:15 AM

Posted 17 January 2016 - 08:30 AM

Hi betacire, thank you very much for private key for my case2, worked. waiting for case1 too, thanks again.



#679 pineapple13

pineapple13

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 17 January 2016 - 10:01 AM

Good morning! I'm currently working through factorization in hopes of solving my .ECC (version 3). Thanks to everyone who is making this possible. I was wondering though, I have a few bitcoin mining rigs at my disposal. Is there any way YAFU can use these for factorization? I'd be more than happy to help with the community efforts once mine is finished. If my rigs can speed up the process that would be awesome!

#680 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:15 PM

Posted 17 January 2016 - 12:54 PM

Hi betacire, thank you very much for private key for my case2, worked. waiting for case1 too, thanks again.

 

Case 1 has a C132 after ECMs, that's going to be a long one. I've started it up on one of my systems in the event someone else hasn't.

 

Good morning! I'm currently working through factorization in hopes of solving my .ECC (version 3). Thanks to everyone who is making this possible. I was wondering though, I have a few bitcoin mining rigs at my disposal. Is there any way YAFU can use these for factorization? I'd be more than happy to help with the community efforts once mine is finished. If my rigs can speed up the process that would be awesome!

 

They might be of use, but clustering factoring is a bit more complicated I think. I'm not sure how to coordinate it, other than knowing you can cluster the sieving process. For now, we're just using individual PCs. If they have a fast processor, you could do one case per system. Yafu has binaries for Windows, but you can compile it for Linux if you need, instructions are on the Mersenne forums.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#681 pineapple13

pineapple13

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 17 January 2016 - 02:02 PM

Yeah, I'm running YAFU now on my laptop. 4 threads. During the sieving step I was getting around 0.017 sec/rel. It finished this morning, but only gave me two factors, both rather large - less than 24hrs of running. TeslaRefactor didn't find a key. My pc restarted overnight because I forgot to turn off automatic updates. I restarted with -r but I'm thinking (hoping) something went wrong during the restart. I'm rerunning it again with a fresh copy of YAFU.

Edited by pineapple13, 17 January 2016 - 02:12 PM.


#682 Arakin7

Arakin7

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 17 January 2016 - 03:35 PM

Hi mates,

 

A few days ago I got infected with the so called Teslacrypt 3.0. Many many important personal files (mostly doc, xls, jpg) are now showing .XXX extension... :(

With the help of Norton Power Eraser I could find and clean the "meryHmas" key in the registry. It seems that is not spreading any more and now I am looking for help desperately to recover my data.

 

I know that there is not any solution to date but hope is the last thing to lose. I have uploaded some of my encrypted files to see if they helps:

https://mega.nz/#!LgI2VZZR!6AcoQMpX56ko6X3VtaGSURKSaL2TpZ6WwizTXpDcnoo

 

Thanks a lot for the great work and effort in this forum!!



#683 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:15 AM

Posted 17 January 2016 - 06:42 PM

Hi, also read the thread referrred below as that is the most recent Tesla thread. Also the tools have been updated Tesladecoder is of version 0.0.72 now and maybe version 0.0.80 can fix your issue.

 

Anyway here is the link to the other forum thread and do read post one, as some prerequisites might be discussed there

BloodDolly is working hard on the issue so you could also pm him

 

http://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/page-1

 

Best regards


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#684 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:15 AM

Posted 17 January 2016 - 06:51 PM

All the normal things, backup and restore and maybe searc for deleted programs are valid her.

Make a backup of your entire drive(s) and keep it for later use

 

Also do not remove all traces unless you carefully note what happens. (image backup is the best backup I can think of now)

Or entirely replacing the harddrive and reinstall Windows. Later on you can connect the drive and retrieve the data.

 

Probably the virus is gone but not all traces are so be careful

 

If the antivirus had detected the virus you would not have had the trouble so there are many other things to do to prevent or limit infection.

For now, the Tesla 3 might not be that much different from the previous few viruses in late 2015, but it seems the creators behind it are not happy with BC so they make a new or several new versions to keep up the pressure.

 

I do not know the detail as of now, but the way to get the key is more difficult at the moment. Keep fingers crossed and hope you don't have to sponsor them. After you have imaged the drive you might search for deleted files, maybe you find the one you need and shadow copy

is alwas a place to look. Hope you manage.


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#685 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 17 January 2016 - 07:00 PM

There is currently no way of decrypting the new .xxx, .ttt, or .micro variants of TeslaCrypt 3.0 since they use a different protection/key exchange algorithm and the key for them cannot be recovered. If infected with any of these, backup all your encrypted files and wait for solution.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#686 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:15 AM

Posted 17 January 2016 - 07:05 PM

 

Hi betacire, thank you very much for private key for my case2, worked. waiting for case1 too, thanks again.

 

Case 1 has a C132 after ECMs, that's going to be a long one. I've started it up on one of my systems in the event someone else hasn't.

 

Good morning! I'm currently working through factorization in hopes of solving my .ECC (version 3). Thanks to everyone who is making this possible. I was wondering though, I have a few bitcoin mining rigs at my disposal. Is there any way YAFU can use these for factorization? I'd be more than happy to help with the community efforts once mine is finished. If my rigs can speed up the process that would be awesome!

 

They might be of use, but clustering factoring is a bit more complicated I think. I'm not sure how to coordinate it, other than knowing you can cluster the sieving process. For now, we're just using individual PCs. If they have a fast processor, you could do one case per system. Yafu has binaries for Windows, but you can compile it for Linux if you need, instructions are on the Mersenne forums.

 

Clustering...

 

Do you have any knowledge on servers linux virtual machines etc. Do you also have available machines like VirusD or something. I do not have that other for short experiments but if you have som equipment I can be willing to spend time testing. and i have a few non decent macines that can participate i.e with ssh or something else

 

I have not entirely dropped the thought, as of now, but first understanding this took med around a month, and then factoring in a cluster, well if you are up to it i can participate. I do have a webserver on a host but I so not think i can just use it for project factoring but I can use it to test simple stuff. I cannot install sw on it though as it is on a hosting company.

 

i also do not want to and probably you to do not want to host a factoring service like this on a regular basis. Mostly because up-time and more because I don't think I can handle all the requests or the security implications so I'm more interested in investigatig what is possible and maybe connect the system to factordb in an api, the presenting the result here on BC and find out if there are good and reliable solutions.

I read about Amazon hosting


The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#687 BloodDolly

BloodDolly

  • Security Colleague
  • 473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:06:15 AM

Posted 17 January 2016 - 07:06 PM

There is currently no way of decrypting the new .xxx, .ttt, or .micro variants of TeslaCrypt 3.0 since they use a different protection/key exchange algorithm and the key for them cannot be recovered. If infected with any of these, backup all your encrypted files and wait for solution.

And send me a PM with a link to few encrypted files. I will collect them and you will not be forgotten when the solution will be find.



#688 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:15 AM

Posted 17 January 2016 - 07:07 PM

Sorry for double posting... The save part took a minute or two so I kept the post open and posted it again.

I remove most of this one

 

Hi betacire, thank you very much for private key for my case2, worked. waiting for case1 too, thanks again.

 

Case 1 has a C132 after ECMs, that's going to be a long one. I've started it up on one of my systems in the event someone else hasn't.

 

Good morning! I'm currently working through factorization in hopes of solving my .ECC (version 3). Thanks to everyone who is

...

 

They might be of use, but clustering factoring is a bit more complicated I think. I'm not sure how to coordinate it, other than knowing you ...

...

Clustering...

 

Do you have any knowledge on servers linux virtual machines etc. Do you also have available machines like VirusD or something. I do not have that other for short experiments but if you have som equipment I can be willing to spend

...

I read about Amazon hosting


Edited by vilhavekktesla, 17 January 2016 - 07:13 PM.

The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#689 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:15 AM

Posted 17 January 2016 - 07:33 PM

Great to still see you BloodDolly. I'll direct anyone with new extensions of Tesla to you whenever I find them

Have you or others babtised all the versions or are all for now referred to as version 3.

 

Your 0.072 of Tesladecoder starts to be to my likings, I really liked the new features, especially the filter option

What I missed earlier, but that is part of the documentation was what label is what.

 

And there is not an easy relation between factoring, viewing and decoding

Maybe i was to much into the python solution at the time beeing.

and for me to much into the details what is this all about, thanks for the answers in the pm's.

I read a little more about AES and realise I mixed info with RSA-encryption.

 

What could be done with the program now is when the work.txt report is written multiple reports could be written with a save option

and both decimal numbers and hex numbers are added to the same file with one save. also a counter to show the number of digits and some way to show if there are spaces in the numbers. it is pretty simple to miss on copy paste in this number... I.e 45671 752 vs 45671752

 

Write work.tx like this: save as work_factors_vvv_file_this_and_that.txt and a timestamp maybe

Then be able to load the work text into tesla refactor to includ the key and finally load the work.txt into teslaviewer so the key could be read from the file.

 

Just my thoughts for improvements which I hope is not to much work. (except the part on work txt)

I'm not sure if I like my idea as it makes it more difficult for every user to understand what is happening, but maybe solving the ransom issue has higher priority. I know for sure I like the first version the most since I had to dig and understand it, but a normal user want their data back and not fiddle with heavy stuff.

 

Anyway whatever you decide you have done fantastic things for many people, thanks for that.


Edited by vilhavekktesla, 17 January 2016 - 07:37 PM.

The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#690 Arakin7

Arakin7

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 18 January 2016 - 01:46 AM

Thank you all for the help




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users