Hi, new here but a friend has asked me for help with their laptop that has been infected with TeslaCrypt 3.
When they realised that they were infected they shut the computer down but by this time most of their files had been encrypted and replaced by ones of the same names but with the .micro extension. They haven't yet been prompted with a window asking for payment to unlock, but the payment instructions appear in every directory that has encrypted files. A recovery_filexxx.txt is present in their profile directory but there is no key.dat anywhere on the hard disk.
Annoying at the time this happened they had their external back up drive connected so that too is stuffed.
I have booted the computer off a live CD to check the state of the hard disk and I am attempting to recover any deleted files before I remove the infection and boot into Windows to go after any shadow copies.
I understand that this is a very new variant but has any progress been made on decrypting the files, and if not is there anything I can pull from the disk before I clean the infection and boot back into Windows that would be of use in breaking the encryption?