Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaCrypt 3.0/4.0 .XXX, .TTT, .MICRO, .MP3 Support Topic


  • Please log in to reply
1421 replies to this topic

#256 NightbirD

NightbirD

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina.
  • Local time:08:50 PM

Posted 23 February 2016 - 05:34 PM

@Andonevris

@PishedOff

Ok mates, i'll try to get infected by all variants of TC3.0 as soon as i can & gonna record the whole mess... I'll do the attempt several times, even tryn' more than just one variant at once, we'll see...

 

@quietman7

Thx a lot for the approach, i'll try to get infected through those ways in order to see what i can find (at least as a simple personal experience...) To be honest, & being obvious, i doubt a lot that i can find some interesting input about a files restoration from TC3.0 attacks.


************************************************************************************************************************


Please, start TODAY a BACK UP DISCIPLINE, & try to spread the idea to everyone you know. This way you, & your beloved ones, will keep safe the whole data, & the crypto-criminal activity will turn senseless soon.


BC AdBot (Login to Remove)

 


#257 viljemt

viljemt

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 23 February 2016 - 06:45 PM

I didn't found any files with file recovery software.

#258 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 PM

Posted 23 February 2016 - 06:51 PM

I didn't found any files with file recovery software.

With most ransomware you can always try file recovery software such as R-Studio or Photorec to recover some of your original files but there is no guarantee that will work.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#259 octogon

octogon

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:50 AM

Posted 23 February 2016 - 06:52 PM

I have a client who was hit by V3 (mp3)

 

I have managed to recover a lot of his encrypted files by using data recovery (specifically I used ontrack easy recovery) using the "lost file" search.  The scan of the drive took around 5 hours and when it finished I could access to the pre-encrypted data.  From there it's a simple step to search by extemsion (.doc .xls etc.) and restore the data.

 

The original folder structure is borked of course but at least the data is there.  I know data recovery is mentioned in this thread but no real specifics so I though I'd share a positive experience with it.

 

Client is happy

 

My friend's PC was infected and totally encrypted by the .micro variant. Recuva was not able to find the original files that the ransomware encrypted and then deleted. Instead I successfully recovered the files deleted by the user before infection. Did not try Ontrack EasyRecovery, and now probably would be too late as I overwrote big part of the hhd with backups.

 

Anyway, I take the opportunity to thank everybody on this forum for great support and for the strategies to defend yourself from ransomeware. Meanwhile I will wait for a solution (if will ever be found - I hope it will) to recover the encrypted files of my friend.


Edited by octogon, 23 February 2016 - 06:54 PM.


#260 pocholo22

pocholo22

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 23 February 2016 - 06:55 PM

SE does not disturb your mastery , you can know us mortals more or less what percentage is the struggle to this cryptowall ?
 
SE does not disturb your mastery , you can know us mortals more or less what percentage is the struggle to this cryptowall ?
 


#261 octogon

octogon

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Italy
  • Local time:12:50 AM

Posted 23 February 2016 - 07:07 PM

@Andonevris

@PishedOff

Ok mates, i'll try to get infected by all variants of TC3.0 as soon as i can & gonna record the whole mess... I'll do the attempt several times, even tryn' more than just one variant at once, we'll see...

 

@quietman7

Thx a lot for the approach, i'll try to get infected through those ways in order to see what i can find (at least as a simple personal experience...) To be honest, & being obvious, i doubt a lot that i can find some interesting input about a files restoration from TC3.0 attacks.

 

As BloodDolly said, the private key should be in memory, so I suppose that with very good assembly debugging skills might be possible to understand how the encryption key pair is generated.



#262 NightbirD

NightbirD

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina.
  • Local time:08:50 PM

Posted 23 February 2016 - 07:23 PM

@octogon

I wish i could be so optimist, is the wishing of many of us. However, remember, i'm just a newbie tryin' to get some traces, at least. Master BloodDolly is 1.000.000.000 light years away, if he did not release something usefull about TC3.0, is 'cause there's still no cure. I'll try just about restoring through forensic tools, not about the deeper insight about the keys... I wish i could do that, but i'm just a hard worker & a musician, all my knowledge about the IT universe is the result of being sooo stubborn and insistent .... :lmao:

 

I'm just researching for now, & i know that the Masters could have the decryption before any of my approachs to recover the entirely VSC's of an attacked system.


************************************************************************************************************************


Please, start TODAY a BACK UP DISCIPLINE, & try to spread the idea to everyone you know. This way you, & your beloved ones, will keep safe the whole data, & the crypto-criminal activity will turn senseless soon.


#263 Shakir86

Shakir86

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 24 February 2016 - 01:06 AM

I saw on a Video that the test pc was disconnected from the networks before he started the Virus. In the appdata tmp folder it was creating some files and you can see the content with any editor.

 

Windows is saying that fail.exe could not be started


Edited by Shakir86, 24 February 2016 - 10:18 AM.


#264 vilhavekktesla

vilhavekktesla

  • Members
  • 918 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:50 AM

Posted 24 February 2016 - 02:02 PM

Paying the ransom.

 

It is easy to say, do not pay. For me this is the rule even if payment is 1 USD

 

so why pay... well, if you have lost everything. and I mean everything, you are qilling to pay

Actually I want payment from the criminals for all the hours spent on the Tesla issues...

But I have also learned alot. 8so that is my payment)

 

But bac to the issue. You decide you want to pay, and you need bitcins... Just make sure you understand what this is.

Raising 500 USD could take up to 14 days to accomplish, and you should reallyreallyreally get incontact with the criminals on the forum link you are

given with the payment requirements... You will get amased about the support you get, you even want to cry and laugh at the same time.

 

Even so, you shouold nevernevernever pay to anyone but the BTC-site, and you may get all the issues mentionaed in many posts before this one.

 

And if I forgot, you should reallyreally familiarise yorself with BTC (bitcoins)

If any of the bitcoin stocks / banks were responsible for the ransomware (which they probably are not), then you will give away more information about your self, then you do to your own authority or banks... so, what this poste is about, is to really let you think twice and twice again before you do anything.

 

Best of all, you are now much more prepared for what to do, by even finding the forums, discussions or articles on BC.

 

What we say and what we do are not always the same (like) everywhere else in life.

 

So again, bewst way not to pay... do not loose anything... How... Backups and familiarising you with all the technical things you have...

And do not forget your not so smart-phones.

 

Regards


Edited by vilhavekktesla, 24 February 2016 - 02:04 PM.

The signature points to post one in each topic. Post one is very important to read.

Now Teslacrypt may be decrypted with Blooddolly's Tesladecoder version 1.0.1b or newer (if needed)

The master key is released so there is no need to pay to get the key.

About 200 550 different ransomwares exist so think safe backups at all time.


#265 daryanx

daryanx

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 24 February 2016 - 11:33 PM

Agreed

#266 NyNe

NyNe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 PM

Posted 24 February 2016 - 11:47 PM

I'm copying my comment from the blog thread to this forum for the sake of participating in both threads;
I wanted to confirm I've had va 3rd network hit with the recovery[plus][5-character].PNG|HTML|TXT variant. I also found the 3rd hit was able to locate an unmapped network share on a NAS where we had backups. Some files were affected, but luckily I've got a script in place to cut off ransomware behavior from accessing network shares and contain it on the infected PC, so the damage was minimal.

I would recommend anyone with publicly accessible shares on their network to formulate a plan to secure those shares with credential access.

#267 Moobot

Moobot

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 25 February 2016 - 04:31 AM

Hi Guys

 

Receptionist at a very important client infected several folders with this yesterday, now all the files have .mp3 extensions. Has any progress been made to resolve this?



#268 tramadol2000

tramadol2000

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:50 AM

Posted 25 February 2016 - 04:46 AM

I post this message to subscribe this forum too. My PC still languishes with its locked Files from 16.01.20... Hold on guys

#269 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,940 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 PM

Posted 25 February 2016 - 06:12 AM

...Has any progress been made to resolve this?

Still no way of decrypting TeslaCrypt 3.0 .xxx, .ttt, .micro, or .mp3 variants since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. The .xxx, .ttt, micro and .mp3 variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer. There is no time-frame for when or if a fix will be available.

If a solution is discovered, that information will be provided here and you will receive notification if subscribed to this topic. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#270 Compumonkey

Compumonkey

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 25 February 2016 - 08:04 AM

Hi guys

 

I was hit with this about a week ago. Really nasty stuff. I installed Emsisoft and it killed it (great anti-malware) but unfortunately all my files were already .mp3 extensions.

 

I found great success in running a recovery program, and managed to get about 95% of everything back. The only fun thing is sifting through all the recovered data to pic out your lost information. Worked really well though.

 

Hope that helps?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users