Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaCrypt 3.0/4.0 .XXX, .TTT, .MICRO, .MP3 Support Topic


  • Please log in to reply
1421 replies to this topic

#1 MostHated

MostHated

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 04:46 PM

This topic will serve as the Support Topic for TeslaCrypt 3.0 .xxx, .ttt, .micro, .mp3 and TeslaCrypt 4.0 ransomware variants.

TeslaCrypt has closed its doors and released the master decrypt key. BloodDolly has already updated his tool so it can now decrypt all files encrypted by TeslaCrypt 3.0 and 4.x. More info here:

http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

http://www.bleepingcomputer.com/forums/t/568525/new-teslacrypt-ransomware-sets-its-scope-on-video-gamers/?p=4002933

Mod Edit by quietman7
.
 

Hello all, just today a few PC's here got infected with Cryptolocker, it changed the extensions of files to a .mp3, which after searching came back with nothing. Has anyone dealt with this one before? I tried searching for a key.dat, or a .bin file, but didn't see anything either.
 
If anyone has any info, please do let me know!
 
 
.

BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 February 2016 - 04:54 PM

We suspect a new version of TeslaCrypt 3.0 is using .mp3 as the extension. Is the ransom note called "HELP_TO_SAVE_FILES.txt" and mentions RSA-4096? You can provide a sample encrypted file for confirmation.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 MostHated

MostHated
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 05:16 PM

It has "_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt" in each folder, it is 4096 encryption, and here is a sample file. https://www.dropbox.com/s/8yo8kvli9n3o1ec/Wallace%20UPC-Label%20file.csv.zip?dl=0



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 February 2016 - 05:20 PM

Very odd. The file you uploaded is completely blank - it is literally a 1.79MB blank file.

 

Can you post the contents of one of those TXT files? Is "_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt" the literal name of the ransom notes?


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 11 February 2016 - 06:07 PM

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can also be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) with a link to this topic. Doing that will be helpful with analyzing and investigating by all our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 MostHated

MostHated
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 06:14 PM

Hello, thank you, I have submitted a few file to that link, and here it is a well for you Demon https://www.dropbox.com/s/b3eh3tudsrgqgg4/2008%20Leather%20Prcing%20updates.zip?dl=0 (this one is an xls)

 

I will try to get the verbiage from the text / html file as well, I am at home now, and it was a PC at the office. I will try and remote in.

 

Here is the text they included (minus the key info in the links)

 

 
 __!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!  
 
NOT YOUR LANGUAGE? USE https://translate.google.com 
 
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
 
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
 
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
 
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 
2. After a successful installation, run the browser and wait for initialization
3. Type in the address bar: fwgrhsao3aoml7ej.onion/
4. Follow the instructions on the site.
 
!!! IMPORTANT INFORMATION:
!!! Your personal pages:
!!! Your personal page Tor-Browser: fwgrhsao3aoml7ej.onion/
!!! Your personal identification ID: 

Edited by MostHated, 11 February 2016 - 06:23 PM.


#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 February 2016 - 06:22 PM

Yep, matches the signature of TeslaCrypt 3.0 encrypted files. You may see something like this in some of those random text files (from what I can reconstruct with the header of the file).

<Bitcoin address>
04262361083EB20DFA5762B54E517021954EE315CFB3DFED9A8A80177D0C5D4865E9CAF1CD3C78C0B838176A826A68DCBA9C59C5225CE5B90D8FA6C9ADDD2E46F20A5DE350A2CDAEA34D17E89DA26CAFE5110160DA57599CCB42482EF3C29808B3
7D30A00A46825AD6
<kryptik ID>

BloodDolly isn't sure if this is an extension here to stay, or a buggy build. It was released today.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 MostHated

MostHated
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 06:33 PM

Awesome that we had to be some of the first ones. : / It reached out to the network and found some unsecured folders and encrypted everything it could get its hands on. How screwed am I? I am going to install CryptoPrevent on everything. Doing just the "basic" setting should prevent this from happening again?

 

Edit - also, sorry, here is the names of the actual notes included.

 

_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.html

_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.png

_H_e_l_p_RECOVER_INSTRUCTIONS+qjd.txt


Edited by MostHated, 11 February 2016 - 06:48 PM.


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 February 2016 - 06:54 PM

Ok, I was double-checking since that's a new ransom note file name to me. The contents and the portal they give you matches exactly.

 

Sorry to say, but you've definitely been hit with TeslaCrypt 3.0. There is no solution for it at this time.

 

We recommend backing up all of your encrypted data and hoping for the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 11 February 2016 - 07:05 PM

...I am going to install CryptoPrevent on everything. Doing just the "basic" setting should prevent this from happening again...

CryptoPrevent writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, %userprofile%, %programdata%, Recycle Bin, Startup Folder) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection. The Free Edition allows you to manually check for updates regularly by using the update function inside the program. CryptoPrevent Premium offers automatic updates to the program and definitions, email alerts, and customized prevention rules for a one time low price.

CryptoPrevent has a filter module (in the installer version) which allows you to apply (enable) or disable suspicious program filtering for .cpl, .scr and .pif files which are executable files. This option is found by opening CryptoPrevent and selecting Advanced > show Advanced Options at the top. The portable version does NOT include the Filter Module...you must get the installer version to use that feature.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 MostHated

MostHated
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 07:16 PM

Is there anything that can be done to my Sonicwall to help keep this from coming in again?



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 February 2016 - 07:24 PM

Is there anything that can be done to my Sonicwall to help keep this from coming in again?

 

A firewall doesn't really do much for preventing malware in that sense. To the firewall, you were just downloading something over port 80; it can read the where from and to, but not so much the "what" it is. It is to prevent outside sources from coming in on certain ports, or for filtering traffic going out. Theoretically, you could have it block your internal network from reaching out to their C&C servers, but they rotate so frequently that it wouldn't be plausible. At that point, the malware would be already on your system, but would not be able to reach out to their server with the key, stalling the encryption process (sometimes).

 

The best prevention is awareness in what you click, open, or download, and having your system protection updated at all times. You can check some pinned guides around this site for more information on best security practices.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 MostHated

MostHated
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 February 2016 - 07:48 PM

 

Is there anything that can be done to my Sonicwall to help keep this from coming in again?

 

A firewall doesn't really do much for preventing malware in that sense. To the firewall, you were just downloading something over port 80; it can read the where from and to, but not so much the "what" it is. It is to prevent outside sources from coming in on certain ports, or for filtering traffic going out. Theoretically, you could have it block your internal network from reaching out to their C&C servers, but they rotate so frequently that it wouldn't be plausible. At that point, the malware would be already on your system, but would not be able to reach out to their server with the key, stalling the encryption process (sometimes).

 

The best prevention is awareness in what you click, open, or download, and having your system protection updated at all times. You can check some pinned guides around this site for more information on best security practices.

 

I have a sonicwall TZ-215 and pay for all the service subscriptions with active virus and malware scanning via McAfee engine, but it doesn't seem to have done much. : /



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,951 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 11 February 2016 - 08:07 PM

For the best defensive strategy against ransomware (crypto malware infections), see my comments in this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 3J Kernel

3J Kernel

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 12 February 2016 - 09:27 AM

Ok, I was double-checking since that's a new ransom note file name to me. The contents and the portal they give you matches exactly.

 

Sorry to say, but you've definitely been hit with TeslaCrypt 3.0. There is no solution for it at this time.

 

We recommend backing up all of your encrypted data and hoping for the future.

If a new solution for Teslacrypt (ttt,.micro and xxx)appears, it would be valid for .mp3 also?Or does it need a different solution?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users