Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TeslaCrypt 3.0 (I think...) (.micro extension)


  • This topic is locked This topic is locked
1 reply to this topic

#1 PishedOff

PishedOff

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 10 February 2016 - 05:56 PM

Hi all,

 

I have been infected with ransomware, which from a bit of search I beleive is the latest version (3.0) of TeslaCrypt, the encrypted files have been appended with the .micro extension; I can provide an encrypted file if that helps?

 

The ransom notes are left in every directory,  there is one png file, one txt file and one html file all titled "HELP_RECOVER_instructions+ivg" .  As soon as I was alerted to the infection (via a html file opening up in my browser) I killed my internet connection, investigated a little bit, ran MS Security essentials which picked up a Trojan (I forget the exact name) and said that it removed it, but that I needed to download and run Windows Defender offline or something, but have not done that as I have not plugged the internet connection back in since it happened; its still there as I ran MS Security Essentials again and it said it found the same thing.

 

I have since just been using my computer via a linux live usb key, just so I can still use the computer for browsing etc in the meantime, as I hope that I am protected from it in the meantime since its not booting Windows at all. Most of the time my HDD is not mounted, but whilst using the Linux live usb I have mounted the HDD from time to time to backup certain HD videos that were not encrypted and to check what other signs I can look for to determine the exact Ransomware.

 

 

I have just this moment realised that certain directory have multiple copies of the ransom notes (i.e. 2 or 3 txt/png/html files in some directories) all with the same title as above, but with the last three letters being different.

 

I have also noticed in my Documents folder, three txt files all three titled "recover_file_randomstring" where randomstring is just random letters, but what is more interesting is that each of the three files all contain the exact same text, which is below

 

 

1MgdeXajsG53ghFFosmGPrZoLYzPryjZu3
04337816102ECAEFAE785C4603870FEE63F2BE5DFF5EAEDEE4331FF6C0088A9C003F939743B60ADD0903D1F7BB2FBE49D06062D360C67F7E20D79025E0442D99992787FBB41477D7806F214467650453BFE8C902419CEEB3B139C44B1E1D586BAE
1C24A8945AA4B34A
52

 

And also just noticed a load of files (~22 files) in my Users root directory i.e. "C://Users/MyName" all titled something slightly different but all start with "ntuser.dat...",  some are rather short in title, such as "ntuser.dat.LOG1" and "ntuser.dat.LOG2", but some have much longer names such as "NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms". I am pretty sure these were not there before, (I hardly used my users root directory) but cannot be 100% certain,

 

Really sorry for a long post, with lots of info, just thought the more info the better. I hope I have posted this in the correct forum too! Greatly appreciate ANY help at all :)



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:44 PM

Posted 10 February 2016 - 06:27 PM


TeslaCrypt ransomware includes several known versions with various extensions for encrypted files. Any files that are encrypted with TeslaCrypt 3.0 will have the .xxx, .ttt or .micro extension appended to the end of the filename as described in this news article and leave .html, .txt files (ransom notes) with names like recovery_file_[random].txt, recover_file_[random].txt, Howto_Restore_FILES.TXT and help_recover_instructions+[random].txt.

A repository of all current knowledge regarding TeslaCrypt, Alpha Crypt and newer variants is provided by Grinler (aka Lawrence Abrams), in this topic: TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ.

Currently, there is no way of decrypting TeslaCrypt 3.0 .xxx, .ttt, or .micro variants since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. The .xxx, .ttt and .micro variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer. If infected with any of these extensions, backup all your encrypted files and wait for solution.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance.You can also post comments in the related BC News article:Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users