Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help with .xxx extension


  • Please log in to reply
5 replies to this topic

#1 rdgpz

rdgpz

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 10 August 2016 - 07:58 PM

hi im new and my problem is that i have a several amout of archives whit the .xxx extension and tesladecoder just skip them someone can help me? please

BC AdBot (Login to Remove)

 


#2 al1963

al1963

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:55 AM

Posted 10 August 2016 - 10:53 PM

@rdgpz,

 

general that decision teslacrypt.xxx there,

http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/

 

but you can add some encrypted files on sendspace.com and add the link to your message to verify the decryption.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 PM

Posted 11 August 2016 - 04:30 AM

Decryption instructions for all victims of TeslaCrypt 3.0/4.x (.xxx, .ttt, .micro, .mp3) are provided by BloodDolly here.

Kaspersky Lab's RakhniDecryptor tool will also work for those infected with TeslaCrypt 3.0/4.x.

If you still need assistance, support for TeslaCrypt 3.0/4.0 is provided in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 rdgpz

rdgpz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  

Posted 11 August 2016 - 10:51 AM

 

hi demonslay i going to left here two archives with the xxx extension, can you see if can be repaired, because with tesladecoder i havent be able to decode them .
best regards from chile and you guys make and excelent work.
https://www.sendspace.com/filegroup/YKutSZp4NPGGjOKpONC17A


It looks like your files were not hit by TeslaCrypt. The .xxx extension was very short-lived with TeslaCrypt 3.0; also, if you were infected recently, then it is not TeslaCrypt (the project has been dead for nearly 2 months now).

 

I am seeing this hex pattern in the file headers.

41 45 53 02 00 00 21 43 52 45 41 54 45 44 2D 42    AES...!CREATED-B
59 00 53 68 61 72 70 41 45 53 43 72 79 70 74 20    Y.SharpAESCrypt 
76 38 2E 31 2E 30 2E 33 00 80 00 00 00 00 00 00    v8.1.0.3.€......

Definitely not TeslaCrypt, could be something new. Do you have a ransom note accompanying the files? We may need a sample of the malware to analyze to determine if anything can be done to help you. Try scanning your system with MalwareBytes, HitmanPro, and FRST. If anything malicious or suspicious is found, please zip it up and upload to here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

I found a C# project by that name: https://www.aescrypt.com/sharp_aes_crypt.html

 

Could be the library the malware used.

 

I'll ask a moderator to re-open your other topic since this actually ended up not being TeslaCrypt. We should probably continue the conversation over there

no this files are old not recently, so you tell me that maybe its just encripted and not attacked by a ransomware?


i didnt have a ransom note



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 PM

Posted 11 August 2016 - 10:58 AM

no this files are old not recently, so you tell me that maybe its just encripted and not attacked by a ransomware?

i didnt have a ransom note

 

Shame, we could really use the ransom note to help identify. The malware sample itself is more important. Please run scans to find the infection if you can, or figure out if it was from an email attachment, downloaded file from a website, etc.

With the library I linked, I'm saying it is most likely that a ransomware used that code to encrypt your files. So, yes, it is still a ransomware attack probably.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 PM

Posted 11 August 2016 - 03:16 PM

Topic reopened per Demonslay335's request and merged with related postings.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users