Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


+-HELP-RECOVER-+wtqde-+ Ransomware

  • Please log in to reply
2 replies to this topic

#1 Tsubakura


  • Members
  • 9 posts
  • Gender:Male
  • Location:Arnhem
  • Local time:02:52 AM

Posted 22 March 2016 - 10:41 AM



One of our customers has been infected with a ransomware which we suspect is a new type.

The odd thing is that this variant doesn't change the file extension, but causes something which prevents it from being opened.

Luckily, our customer noticed the problem in time and terminated the encryption process midway by logging off, saving some of the data.



As someone here already mentioned, this is indeed the Teslacrypt 4.0

The difference though, is that the extensions aren't changed.


Since the extensions aren't changed, we have to resort to other methods of finding which files are encrypted and which aren't like checking the modified date.


We somehow managed to obtain 2 files of the virus, which we submitted to malwr.com

The scary thing about this one, is that this one doesn't get detected by our malware scanners, it even got through our Sophos firewalls.

This means that at the time this was written, virus scanners are unreliable in detecting this one and you have to do all the cleaning manually.


I'm going to fire up Caine later and check them out, time to make myself useful.


Best regards,



Edited by Tsubakura, 22 March 2016 - 04:54 PM.

BC AdBot (Login to Remove)


#2 sector7g


  • Members
  • 1 posts
  • Local time:12:52 AM

Posted 22 March 2016 - 10:52 AM

Got the same this morning, turns out to be teslacrypt 4.


in via email & done several servers, restored from backup.



#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,918 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:52 PM

Posted 22 March 2016 - 04:10 PM

Yes TeslaCrypt 4.0 no longer uses an obvious extension for encrypted filenames...although when first released it used the .mp3 extension. TeslaCrypt 4.0 will leave files (ransom notes) with names like RECOVER+[random].TXT, RECOVER[5-random].TXT, recover_file.txt and _rEcOvEr_[5-random].txt. +-HELP-RECOVER-+[5-random]-+ is probably the lates note.

Tsubakura, if your analysis indicates it is TeslaCrypt 4.0, please post that information in the following topic.Rather than have everyone start individual topics, it is best (and more manageable for staff) to use one topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread.

If that is the case, let me know so I can close this topic to avoid confusion.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users