Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TeslaCrypt 3.0/4.0 .XXX, .TTT, .MICRO, .MP3 Support Topic


  • Please log in to reply
1421 replies to this topic

#1411 paradeshi

paradeshi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 10 September 2016 - 08:18 AM

That's interesting, yes the E drive is an old hard drive from an old computer that also got affected and it was indeed Windows XP! The files do exist there and the report basically says at the end "Decryption finished. (0 files decrypted, 10 files skipped, 0 warnings). I'll see if I can get some files to you. Thank you so much for helping!



BC AdBot (Login to Remove)

 


m

#1412 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 10 September 2016 - 08:44 AM

 

Trying to help someone else that got their files encrypted. File extension is MP3, and I've already tried TeslaDecoder. Attached are some encrypted files and the ransom notes.

 

https://www.sendspace.com/file/kwtfrr

 

Edit: Unencrypted/encrypted files attached. Tried the Nemucod decrypter tool with no luck.

 

https://www.sendspace.com/file/qr4gip

@karl008,

 

file from the second archive normally stands in Tesladecoder.

 

TeslaDecoder - 1.0.1
Custom priviledges: 1
Admininsrator's rights: 1
Debug mode: 0
Key version: TeslaCrypt 3.0.0 - 3.0.1, 4.0 (.xxx, .ttt, .micro, .mp3)

Decryption started.
-------------------

DECRYPTED: E:\deshifr\encode_files\AES (256)+ECHD+SHA1\Teslacrypt\tsl3\mp3\11\Encrypted & Unencrypted\Acknowledgements.rtf

Decryption finished. (1 files decrypted, 0 files skipped, 0 warnings)

 

Files of the first arhive (mp3) do not contain encrypted TEslacrypt structure or another layer of another encoder.

 

 

Correct. You have a dual-infection of TeslaCrypt and CrypMic. It seems you were hit by TeslaCrypt first, then CrypMic (identifiable by the ransom note and unique hex pattern at the beginning of each file, ID Ransomware picks up on both).

 

Archive 2 can be decrypted with TeslaDecoder, but archive 1 cannot, because there is a layer of encryption by CrypMic first. There is no way to decrypt CrypMic, so those files are a loss.

 

More information:

 

Nemucod decrypter only works on Nemucod, which uses XOR encryption.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#1413 paradeshi

paradeshi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 12 September 2016 - 11:33 AM

 

Hello there,

 

I'm not sure if his is the right place to post this question but pardon me if this is not. I have used TeslaDecoder to decrypt some files recently and turns out that it did not decrypt everything. Any ideas on what is causing it not to decode? The error message I get is "Unable to set normal file attributes (Error: 5h): E:\Documents and Settings\....mp3". I was able to get the files in C drive to decrypt but not the ones is E. Can someone please help?

 

Thanks!

Error 5 means "Access is denied", so TeslaDecoder was unable to set normal file attributes for the file you mentioned. This will throw only warning in the log, but TeslaDecoder will try to decrypt and work with the file anyway. Are there any errors in the log? Does the file (E:\Documents and Settings\....mp3) really exist? Because it is pretty weird name and location. Documents and Settings was used by Windows XP and it is only as a junction point in the newer windowses. This directory should have REPARSE_POINT attribute set and TeslaDecoder avoids files and directories with this attribute.
If you do not run TeslaDecoder as administrator it tries to elevate it's priviledges to BACKUP. So at least one of these values should be 1:

Custom priviledges: 1
Admininsrator's rights: 1

If you still have a problem to decrypt all files, just PM me with the log.

 

@BloodDolly, you were right. I had to run it as administrator to decrypt. C drive didn't need me to elevate the permissions however. Glad it works! Thank you so much for your help!



#1414 klisman

klisman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 17 February 2017 - 12:45 PM

Hello Friend I am writing again if there is something already in order to recover data damaged by teslascryp v3 ttt xxx mp3



#1415 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 17 February 2017 - 01:36 PM

Hello Friend I am writing again if there is something already in order to recover data damaged by teslascryp v3 ttt xxx mp3

 

If the files were encrypted, yes, you can decrypt them using TeslaDecoder. Just follow the instructions in the first post. If the files were actually damaged by something else though, there may not be much we can do. If you have issues, you can share a few encrypted files here for us to look at.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#1416 klisman

klisman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 February 2017 - 07:06 AM

 

Hello Friend I am writing again if there is something already in order to recover data damaged by teslascryp v3 ttt xxx mp3

 

If the files were encrypted, yes, you can decrypt them using TeslaDecoder. Just follow the instructions in the first post. If the files were actually damaged by something else though, there may not be much we can do. If you have issues, you can share a few encrypted files here for us to look at.

 

If the data has been encryntados me I downloaded tesladecoder but to open it gives me an error occurred when loading the Cabinet and not is why and am trying to put here a file so that you see it and not let me thanks friend



#1417 klisman

klisman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 18 February 2017 - 07:12 AM

DSCF1674.JPG.mp3



#1418 al1963

al1963

  • Members
  • 848 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 18 February 2017 - 07:13 AM

@klisman,

 

add multiple files at sendspace.com and give us a link to these files, to test the feasibility of their decryption.



#1419 imaigne

imaigne

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 15 November 2017 - 08:22 PM

My dad's computer was infected and his external drive was encrypted. I've uploaded some of the files to: https://www.sendspace.com/filegroup/3vQ9jeRqtW1QiT%2BC%2Fi8ANazTfktpAquEisgMce806Ms

 

Is there any way I can decrypt these files?

 

Thanks



#1420 al1963

al1963

  • Members
  • 848 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 15 November 2017 - 08:37 PM

My dad's computer was infected and his external drive was encrypted. I've uploaded some of the files to: https://www.sendspace.com/filegroup/3vQ9jeRqtW1QiT%2BC%2Fi8ANazTfktpAquEisgMce806Ms

 

Is there any way I can decrypt these files?

 

Thanks

@imaigne,

 

files are decrypted, but perhaps there is another layer of encryption by another encryptor that does not allow you to open documents correctly.

 

upd: The first 16 bytes of all the decrypted files are the same.

8CEC92B00FB5EE6B36C162EC95D99816

 

TeslaDecoder - 1.0.1b
Custom priviledges: 1
Admininstrator's rights: 1
Debug mode: 0
Key version: TeslaCrypt 3.0.0 - 3.0.1, 4.0 (.xxx, .ttt, .micro, .mp3)

Decryption started.
-------------------

DECRYPTED: C:\DATA\decrypt\TeslaCrypt\tls3\mp3\CFDMW Report 12.03.03.doc
DECRYPTED: C:\DATA\decrypt\TeslaCrypt\tls3\mp3\cindy stern education.doc
DECRYPTED: C:\DATA\decrypt\TeslaCrypt\tls3\mp3\Dejong.doc
DECRYPTED: C:\DATA\decrypt\TeslaCrypt\tls3\mp3\flyerCampbellRiver.pdf
DECRYPTED: C:\DATA\decrypt\TeslaCrypt\tls3\mp3\StephenOwen1.doc

Decryption finished. (5 files decrypted, 0 files skipped, 0 warnings)

 


Edited by al1963, 15 November 2017 - 08:48 PM.


#1421 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:36 PM

Posted 15 November 2017 - 08:52 PM

Probably hit by CryptoWall just before TeslaCrypt. His computer was super insecure to be hit by two ransomwares. Afraid there is no way to decrypt the CryptoWall layer, so the files are pretty much gone if you had no backups.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#1422 al1963

al1963

  • Members
  • 848 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 15 November 2017 - 09:08 PM

@imaigne,

 

most likely your files were encrypted at the beginning of Cryptowall 3.0, and then Teslacrypt 3 / mp3.

TeslaCrypt we can decrypt, but Cryptowall 3 can not be decrypted.
such cases have already been here on the forum,

Here's an example:

After the decryption of the ecc layer, the files with the original extension are received, but these files can not be opened. Judging by the headers of the files, there was another encryption that did not change the file extension. Demonslay335 suggested that this is Cryptowall 3.0, judging by the fact that in the decrypted files the first 16 bytes of all files are the same. Unfortunately, he was right, and the user found a note about the redemption of HELP_DECRYPT.TXT, typical for encryption Cryptowall 3.0

 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users