Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need HELP on .AAA File decrypt

  • This topic is locked This topic is locked
1 reply to this topic

#1 spyrox78


  • Members
  • 1 posts
  • Local time:07:01 AM

Posted 29 October 2015 - 08:50 AM



I might have been hit by ransomware. I did a search on google that took me to your site using the information on Crypto Virus. I tried to remove it, all my files become .aaa and some of my applications can't run. I'm using windows 8.1.



Got this ransom note : restore_files_oaood.html, restore_ files_oaood.txt. How do i retrieve or decrypt my photos since i do not have a restore point :wacko:  and previous version of my files. Feel so helpless and desperately need help, thank you so so much for taking time to help.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,092 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:01 PM

Posted 29 October 2015 - 06:29 PM

:welcome: to Bleeping Computer.

You are dealing with a newer variant of TeslaCrypt/Alpha Crypt.

Any files that are encrypted with the newer variant of TeslaCrypt will have the .exx, .xyz, .zzz, .aaa, .abc or .ccc extension appended to the end of the filename. The .aaa/.abc/.ccc variant drops files (ransom notes) with names like Recovery_File_*****.html, Recovery_File_*****.txt, restore_files_*****.html, restore_files_*****.txt, HOWTO_RESTORE_FILES_*****.txt, HOWTO_RESTORE_FILES_*****.html, HOWTO_RESTORE_FILES_*****.bmp (where ***** are random characters) and pretends to be CryptoWall 3.0.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:
TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

TeslaCrypt includes several known versions and extension variants to include: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc. Earlier variants stored the private key as data files on the local disk which enabled victims to decrypt their files with the locally stored private key using Cisco's Talos Group decryptor tool for TeslaCrypt or BloodDolly's TeslaDecoder. However, if that key was destroyed or removed there is no way to decrypt/recover the data.

Unfortunately there is no way to decrypt the newer TeslaCrypt variants (.xyz, .zzz, .aaa, .abc, .ccc) without Tesla's private key. These variants no longer store any data files on the local disk and information stored in the registry as binary data only contains public keys and each shared secret.

Unfortunately there is no way how to decrypt .xyz, .zzz, and .aaa variants without Tesla's 256 bit private key or logged request to server encrypted by AES sent before encryption started. I recommend to backup all your encrypted files. Anything else is not necessary, becasue if Tesla's private key will be leaked/published all information for decryption is located in encrypted file header.

BloodDolly, Post #123

Unfortunately there is no solution for .ccc variant of TeslaCrypt. This variant can be decrypted only by their private key except your randomly generated and never stored private key.

BloodDolly, Post #200

...ccc and abc variants are very similiar and can't be decrypted without Tesla's private key, your generated private key or private keys used for file encryption.

BloodDolly, Post #136

Brute forcing the decryption key is not a realistic option (not possible) with current technology because there are an infinite number of possiblities to try. The only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a possible solution so save the encrypted data and wait until that time.

There is an ongoing discussion in this topic:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users