Any files that are encrypted with the newer variant of TeslaCrypt
will have the .exx
extension appended to the end of the filename. The .aaa/.abc/.ccc variant drops files (ransom notes) with names like Recovery_File_*****.html, Recovery_File_*****.txt, restore_files_*****.html, restore_files_*****.txt, HOWTO_RESTORE_FILES_*****.txt, HOWTO_RESTORE_FILES_*****.html, HOWTO_RESTORE_FILES_*****.bmp (where ***** are random characters) and pretends to be CryptoWall 3.0
A repository of all current knowledge regarding TeslaCrypt
, Alpha Crypt
and newer variants is provided by Grinler
(aka Lawrence Abrams
), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ
Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt
Unfortunately there is no way to decrypt the newer TeslaCrypt variants
(.xyz, .zzz, .aaa, .abc, .ccc) without Tesla's private key. These variants no longer store any data files on the local disk and information stored in the registry as binary data only contains public keys and each shared secret.
There is an ongoing discussion in this topic:
Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.
The BC Staff