Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


How to find the culprit computer where the TeslaCrypt is located?

  • This topic is locked This topic is locked
2 replies to this topic

#1 creosotepost


  • Members
  • 3 posts
  • Local time:11:01 AM

Posted 04 December 2015 - 04:56 AM

I have 2 network drives wiped by *.vvv files (and the associated ransom files). Drives are located on a Synology box, which I don't think can be infected itself (?).


There are several Windows 7 computers possible connecting to these drives (this is an educational environment) but I haven't been able to find any tell-tale signs yet - none have local files destroyed with the .vvv extension. Went through the hosts file, processes, msconfig, etc. and found nothing. Is there an easy way/file that identifies what computer has the ransomware on it that spread to the network shares?


It would seem from the things I read (ransom messages, most files non opening, etc) an infected computer would be obvious, but I have not heard a thing/complaint from any user having problems with their laptop.


Thank you for any advice, if this is more appropriate in the Removal Forum, please let me know and I'll move this over.



Edited by Chris Cosgrove, 04 December 2015 - 05:09 AM.
Moved from AII to 'General security'

BC AdBot (Login to Remove)


#2 SleepyDude


  • Malware Response Team
  • 3,130 posts
  • Gender:Male
  • Location:Portugal
  • Local time:06:01 PM

Posted 04 December 2015 - 05:28 AM

Hi Nathan :welcome: to BleepingComputer


If every user have different credentials to access the NAS check the file properties of those .vvv files on the NAS using the File Station, right click then Properties it should say how is the owner of the file.


If several users connect using the same user/pass and there are more vvv files been created right now you need to check the active connection on the NAS and the IP of the connected machines on the Resource Monitor.

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

Proud graduate of GeekU and member of UNITE


#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 04 December 2015 - 05:59 AM

What you need to know about TeslaCrypt, Alpha Crypt, and Network Shares.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users