I’ve read the suggested threads: http://www.bleepingcomputer.com/virus-removal/teslacrypt-alphacrypt-ransomware-information
http://www.ghacks.net/2016/04/13/id-ransomware/ (couldn’t upload both the ransom note and a sample infected file, as I had deleted the ransom note)
I have a Win 7 system. The ransomware encrypted my files with the extension “.D6979”. I haven’t found any instances of this particular file extension encryption anywhere on the web. I assume it’s a new variant.
I attempted to remove the ransomware, but it kept returning. I believe the first instance was either TeslaCrypt or TesCrypt. MSE identified it when it came back as TesCrypt C. The last appearance was identified by MSE as TesCrypt E. I haven’t seen any reappearances in the last 4 or 5 days. I was running MSE and Malwarebytes free version before the infection and still am. Considering adding or replacing one or both of MSE and Malwarebytes free with Emisoft Anti-Malware or Kaspersky Total or HitmanPro or Malwarebytes Anti-Ransomware. Also considering adding Software Restriction Policies and the CryptoPrevent Tool, maybe even manually created Software Restriction Policies (although I’d have to woodshed a little on these – would prefer a packaged solution. I’ve learned a lot over the years, but I’m still no techie – my expertise is in areas other than computers; I’m first and foremost a user, not a tech specialist like so many of you good folks.
Because of the reappearances, I am considering reformatting the drives in the desktop (solid state software drive and hard drive files drive) and re-installing Windows, Office, etc. on the solid state drive. Hate to do it, but may have to. Will this eliminate the possibility of the ransomware reappearing? I would think so, as all files are overwritten in a re-format.
The ransomware encrypted .doc files, .docx files, .xls files, .xlsv files, ppt files, pptx files. Htm files, .pdf files, possibly some others. Interestingly, it encrypted some but not all files. It did encrypt some files uploaded to OneDrive from another computer but accessed through my infected computer via OneDrive installed on my infected computer.
Fortunately, the other computer hadn’t been booted for a month, so it didn’t sync the encrypted files back down onto the other computer, so the files on that computer still were present in their original state. So I unplugged the other computer from the internet, saved the files onto a thumb drive, and now have all those files. What I’ve lost to encryption is all of the files in the One Drive folder that were modified or added in the past month since the other computer was last booted, plus all of the files on my infected computer that were not in the OneDrive folder. So it’s not as bad as it could be, but still bad.
As to decryption, the various TeslaDecoder utilities would not seem to work, as they are specific to specific file extensions, and none of them seem to work with the “.D6979” file extension encryption.
Although I saved the encrypted files to a parking folder, I have been religiously cleaning out my computer with several different utilities, and I wouldn’t be surprised if I deleted the copy of the files that the ransomware makes and then encrypts (if that in fact is what happens), so if that is true, then I may no longer be able to decrypt even it a decryption utility is developed for the “.D6979” file extension encryption.
As to the other methods of restoring my original files:
- Backups – the OneDrive copy was my backup solution. A good solution until you are attacked with ransomware and it encrypts your OneDrive backup. So this method won’t work for me.
- File recovery software – as mentioned, R-Studio or Photorec may not work as I may have deleted the encrypted copy (or will these decrypt the encrypted copy I moved to a parking folder?). But I continue to use the infected computer for work and play, so I may have made it more difficult for these software utilities to work, if it’s even possible that they can decryption the “.D6979” file extension encryption. I still need to try this.
- Shadow volume copies – this won’t work as the ransomware deleted the shadow volume copies
- Restore DropBox folders – does this also work for OneDrive – I’ll have to investigate this.
- Native Windows Previous versions – this won’t work as the ransomware deleted the previous versions
- Shadow Explorer – this won’t work as the ransomware deleted the shadow copies
Thanks for any guidance you can provide.