Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Teslacrypt - .ccc - I was victim - decryption after payment works

  • This topic is locked This topic is locked
1 reply to this topic

#1 dbimi


  • Members
  • 2 posts
  • Local time:03:54 AM

Posted 08 December 2015 - 05:36 AM

Two weeks ago the nightmare comes to me. Suddenly all important files has file extension ".ccc" and I could not open it. I apprehended my Computer was infected by a virus and immediatly I shut down computer by putting off power adapter. A search by google from other computer leads me in this forum. Quickly I understood that I became a Victim of Ransomware named "Teslacrypt" using asymmetric encryption RSA-2048. Realy strong encryption and no way to crack. An email zu kaspersky ("professional support") was answered with useless standard answer. "Try this tool and that... bla bla". Latest Tool was from april this year. However ... useless. 
The search of an file named "key.dat" to crack the encryption is âlso useless because the encryption ist asymmetric and the key.dat is the public key which one you could not use to EN-crypt! It cames with the virus to yout computer and the private key for DE-cryption never enters yout computer at this time! 
The virus leads me to a personal page where I found a instruction what I have to do to get back my date decrypted. I should pay 500$ in bitcoins. 
From out different reasons at the end of a long process of consideration I decided to pay the ransom of 500 $ in bitcoins. The payment in bitcoins was dificult and cost much time to understand and realise it but I got it. At this time I don't know the asholes would be keeping their promise to decrypt my files after payment but I stake everything on one card and paid. 
Just a few hours later the blackmailer reacts and send me a link to download a "decryption tool" and the privat key for my data: a string of 65 characters an numbers! 
The decryption tool ist very primitiv, you could not choos special folders to prior decrypt but the complete hard disk will be decrypted. But the tool and the key works! The files came back! 
If you decrypt your files with that tool the data volume doubles! The mass of Data after decryption ist twice than bevor! Thats why the decryption tool dont delete the encrypted file after decryption. Both versions - encrypted and decrypted - are both an hard disk after decryption. So note that you perhaps need a bigger hard disk and copy all of your encrypted data on it bevor starts the decryption process! 
After all it ist a bleepy waste of time and nerves. 
I hope the blackmailer gets in prisom anytime! 
Don't forget: data backup is the most important! 

Edited by hamluis, 08 December 2015 - 11:33 AM.
Moved from AII to Gen Security - Hamluis.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,749 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 PM

Posted 08 December 2015 - 04:13 PM

Welcome to Bleeping Computer.
Any files that are encrypted with the newer variant of TeslaCrypt will have the .exx, .xyz, .zzz, .aaa, .abc, .ccc or .vvv extension appended to the end of the filename. The .aaa/.abc/.ccc/.vvv variants leave .html, .txt, files (ransom notes) with names like RECOVERY_FILE_*****.txt, restore_files_*****.txt, recover_file_*****.txt, Howto_RESTORE_FILES_*****.txt, howto_recover_file_*****.txt, _how_recover_*****.txt, how_recover+***.txt (where * are random characters).A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

Information about and support for decrypting files affected by Alpha Crypt & TeslaCrypt ransomware can be found in this topic:Since v5 there is no way to decrypt the newer TeslaCrypt variants (.xyz, .zzz, .aaa, .abc, .ccc, .vvv) without Tesla's private key or a purchased decryption key. It is no longer possible to get the encryption key from Tesla's request without Tesla's private key...since there is no private key anymore, it can't be used to decrypt files. See here for possible decryption information with each version.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users