The comments have been closed for this news article. If you were using the comments section to receive help with your encrypted files, please use this forum topic instead.
TeslaCrypt (.VVV, .CCC, etc Files) Decryption Support Requests
New TeslaCrypt version adds .VVV extension to encrypted filenames
A new version of the TeslaCrypt ransomware has been released that for the most part is identical to previous versions. The most notable difference is that this new version adds the .vvv extension to encrypted filenames. Other changes include new ransom note filenames and different TOR payment site gateways. The new names for the ransom notes are in the format how_recover+abc.html and how_recover+abc.txt.
The .VVV version of TeslaCrypt cannot be decrypted for free
Unfortunately, this version of TeslaCrypt cannot be decrypted for free without the private key that is known only to the TeslaCrypt developers. If you have been infected by this version of TeslaCrypt, at this time the only way to recover your files is through a backup or by paying the ransom.
Comments
ashmak - 5 years ago
i have the same problem but .ccc is there any hope to fix that?
Lawrence Abrams - 5 years ago
RakhniDecryptor is able to decrypt some versions of TeslaCrypt that utilize the .CCC extension. Only way to know is to try it unfortunately.
http://support.kaspersky.com/us/viruses/disinfection/10556
vireczek - 4 years ago
Anyone with the same type od TeslaCrypt .vvv managed to solve the problem somehow?
Do you think an idea to copy all files to other device, then format computer and wait for decription device is an good option?
barefootdreamers - 4 years ago
I am trying to run the Kapersky RakhniDecryptor but it asks for me to select one file that has been encrypted and NONE of them show up in that dialog box. So frustrating! I also have .v v v files. I am running the old PC Tools File Recover Program in hopes of finding a file I can point the RakhniDecryptor to. Any suggestions?
FrankRon - 4 years ago
Hi,
First time posting, and of course its an unfortunate reality that brings me here. My (somewhat elderly) parents seem to have found themselves victims of this new variant of the TeslaCrypt virus. Lots of files on their computer now have the .vvv extension, and there are text files all over the place indicating how to recover that data.
Since it seems that the only way to retrieve the data is to pay for the private keys (at this point), my question is this: does it make sense to wait a bit to see if anyone out there with more skillz than I can find the command and control centers to try to recover this stuff? Or should we just pay the darned ransom?
I tried the Shadow Volume approach, but of course they hadnt set up a System Restore point, and Ive tried the PhotoRec data recovery, and although it found a few files, it was nothing compared to the 1000s of .vvv files on their disk.
I did find a suspicious-looking registry entry under HKEY_CURRENT_USER\Software called 255D6BAA1EFE3FE0. It has a binary blob in it called data. Could this be a key of some sort? If so, how could I use it to start cleaning up?
Any helpful hints are very much appreciated!
Thanks!
Lawrence Abrams - 4 years ago
I sent you a PM.
blinderix - 4 years ago
Hello,
I have been infected too and all files are .vvv
Tried some decryptor from kaspersky but, doesnt even start. CoinVaultDecrypter on Kaspersky site is with a password. :(
Any help?
Thank you!
PaschPP - 4 years ago
Hi,
we are also infected. Many Office Documens are renamed and encrypted to .vvv.
We did all what the internet does offers.
But we dont want to pay 500$, anyone a idea?
eddyerpel - 4 years ago
Hi.
I have an infected computer containig .vvv files.
I posted some days ago in the forum BleepingComputer.com → Security → Virus, Trojan, Spyware, and Malware Removal Logs.
As the malware is already removed and I want to restore the encrypted files, I agreed with the Malwere Response Instructor to close that topic.
A detailed description of my situation can be found here:
https://www.bleepingcomputer.com/forums/t/598262/teslacrypt-v8-infection-possible-private-key/#entry3880650
Using shadowcopy, I found a key in appdata/microsoft/crypto/machine keys.
In the registry, I found a reg-key, named like the bitcoin-address, containig 328 Byte of data.
Is there a chance to get the data back?
Thank you!
Kutho - 4 years ago
I had the same problem, the virus encrypted almost 26000 files. It also deleted my shadow copies. Just looking around if there is any guru with decrypting solution.
Lawrence Abrams - 4 years ago
According to one of the moderators of the kaspersky forums, you may have some luck by purchasing a license of kaspersky and opening a trouble ticket. No guarantees.
StevenEsqTwoBC - 4 years ago
Yep, me too. Got the vvv variant. This thing is malicious. Ive tried everything so far and no luck. Fortunately, I have most of my important stuff on DropBox but there is still considerable material destroyed that I didnt manage to move yet. Any hope?
Also, is there any possibility of tracking down these pirates in some fashion. Im not a hacker but I assume there are people who if so inclined could do it for pay. Id like to know who is responsible for this crime.
HuMoer - 4 years ago
Customer of mine was infected as well by this today. +10000 files were infected on the server share. I found the infected PC and shut it down, and that stopped the infection of more files. Virus came in via an invoice mail, with a .zip file attached. PC was protected bij AV SW. Fortunately we have VSS (Previous versions) enabled on the share. This allowed me to recover all files: developed a script that uses the Microsoft 2003 reskit volrest.exe progam). This is my 1st post here... I dont know the rules...
Lawrence Abrams - 4 years ago
Do me a favor and pm me a link to it so I can review it before you post it. Gotta be safe these days :)
zanderman11 - 4 years ago
Great. I just got the bug on my whole backup HD - for the last 15 years. So if any of you guys have the decryption process for all files, I´d be thankful.
VirusD - 4 years ago
My friend was also hit with this *.vvv file ransomware and contacted me about it. I was able to stop it from spreading too far, but what damage was done is done. I have the original .js injector and the .exe that does the encrypting. I also obtained several before and after files of multiple file types and the recovery text file that appears to obtain part of the encryption key.
Would this be of any use?
Can anyone help?
Thank you.
vilhavekktesla - 4 years ago
Hi, you could PM Grinler on this issue. I think the computer I was connected to had the JS on 28 November, then the encryption phase several hours the 1. December. MSE (Essentials) detected the virus on 3. December. I could find traces on the computer a 73.exe in IE-cache and a JS-file in Firefox-cache. I imaged the entire Harddrive and restored backup. Life must go on for now. Do you have something similar. And for Grinler. This seems to be a serious issue. Do you plan to set up a service one forum post maybe maybe where you could receive samples, instructions on the thema?. If you do you could post a link in the article, so you have one point of contact. Just state strict rules what you want and how you want it. A PM on specific issues is a good idea.
walterman90 - 4 years ago
Please I need help, all my files now have the extension .vvv and not to do, Ive checked everything on the internet and I can not solve it, I need to recover files!
Cuko - 4 years ago
I was hit with the TeslaCrypt too.
Ive the recovery_file with the recovery key, can I do something with it? Is there any solution for the problem? I really need some of my files back. I have no backups or shadow files. Please help.
JennBing - 4 years ago
Okay there has to be something coming out that can fix this? Is that wishful thinking because a $500 ransom is crazy! I am sick of wasting time on this, but I need some honest straight up advice. There is not fix for the Tesla Crypt .vvv (unless you want to pay the money which there to is no guarantee will fix your files either) Correct? Honestly is there still nothing out there to fix has anyone had any success getting this off their computers?
VirusD - 4 years ago
My friend decided to bite the bullet and pay the ransom as the files affected were work related and she could not wait for a solution to surface. The decryptor file along with the supplied key worked. All files have returned to their original state and she is now performing proper backups. The *.vvv files were left behind and will have to be removed manually.
To anyone interested in this case, particularly admins, I have sample files for before and after, the injector .js file, the original encryptor, a collection of two very suspicious registry entries, the decryptor file, and finally the decryption key.
PM me if you want to investigate the files AT YOUR OWN RISK.
I would like to help the community and not see it fall further into despair.
goosea - 4 years ago
Hi,
can you share with us the private key so we can decrypt our infect files
thanks
G.
VirusD - 4 years ago
PM me if you want the test files and key, but please realize that the key would not work for you. It would instead be used for research. Do with it what you will at your own risk.
Just PM me if youre still interested.
siemensturbo1 - 4 years ago
Hi Virus d
Where i get these files , please
alejandrorm - 4 years ago
Hi goose can i send u a file what ever file only with the ext .vvv?
tabrez - 4 years ago
Hi VirusD,
Did your friend decrypt all the files successfully?
Cheers
VirusD - 4 years ago
Yes, I did the whole procedure for her. All files were restored.
Molasar - 4 years ago
PM sent.
Thanks.
RickCP - 4 years ago
Hi Grinler:
FWIW, I thought you may wish to correct a typo on the articles title: TeslaCrypt instead of Telsa... ;)
ashishom - 4 years ago
Hi
I also get Teslacrypt attack and got all file encrypt with extension .vvv kindly help to solve this issue asap.I can send file to test to decrypt.
siemensturbo1 - 4 years ago
Hi
Where i get these files , please
mattchis - 4 years ago
I would like to test with the files you have as well.
tomasdlc - 4 years ago
Did VirusD solution worked?
VirusD - 4 years ago
For those of who you that have PMed me and for those of you who are still looking for a solution, please note that the files I submitted ARE FOR RESEARCH PURPOSES ONLY.
WITHOUT YOUR OWN UNIQUE KEY DECRYPTION KEY, THE DECRYPTOR WILL NOT WORK.
I am by no means sending you data that will fix your issue. Please understand this and choose your wording more carefully.
Good luck to you all.
Mobs - 4 years ago
It appears that TeslaCrypt virus deletes the originals and leaves an encrypted copy behind. It may be possible to retrieve the files using a file digger. My system has been infected and I am trying to see if that could actually work. MalwareByte picked up a trojan and more than 1500 infected files. I had to remove them all. Now running a bitdefender full scan to check if any Malware or virus is left behind.
monitorapc - 4 years ago
> I did find a suspicious-looking registry entry under HKEY_CURRENT_USER\Software called 255D6BAA1EFE3FE0.
Is this something usefull? I have similar entry (C3F3...) called data and some binary.
Also found another weird entry (1Q1F1...) and inside is key named 0 and contains REG_SZ that starts with Gdyn=KISd0...
vilhavekktesla - 4 years ago
Why do you find it suspect.. Does this key differ that much from other keys? I have computers that I assume ... I know are not infected and I have several UID-keys like that. IId really would like to have a regedit-regfile decoder to deciffer all the UID inside the registry, that would make it little easier to find the few keys that are suspicious. Thanks for sharing the key, I will certainly see If I can find the same on infected computers.
monitorapc - 4 years ago
On two other computers I dont have such keys. Registry in same location contains some _sane_ keys like Adobe, Google, Avast, Malwarebytes etc. Like names of random software producers, not some weird alphanumeric entry.
vilhavekktesla - 4 years ago
Hi, thanks for the answer. I too react on such keys, unfortunately there are way to many such keys even on a helathy computer. I know Antimalware programs like MBAM can dechiffer such keys, but is difficult for a user. On one of my computers Im monitoring the registry from day to day (I need to choose keys carefully) and there a several legit changes, so I stopped regarding strange keys long time ago. However if the keys are on a suspicious place I do react. like run, services run etc. Just check your of uninstall key to get an idea. Since you do mention this key, I will try to look on it when I have the infected harddrive available (possibly this December / January) And I will confirm if I find it. Thanks for the info.
ChrisMer - 4 years ago
Weve been hit a few times by this one.
Little harm done since we have good backups (specialized backup server).
I have investigated. Im not sure, but it seems the virus comes in (at least) two mails. One with a zip file attached, containing a javascript, and another with a url (not necessarily in that order)
They do not come together. One is received one day, the other days (or more) later.
url is never the same. zip file name and malware in it seems to change too. One is identified by McAfee as JS/Downloader.gen.aj, another as JS/Nemucod.aj
But the subject seems to always be a date and hour (for example 8/11/2015 1:25:05 AM or 11/22/2015 3:51:58 AM).
The virus itself is an exe file in C:\users\\AppData\Roaming. There again McAfee identifies with different names: Generic.xb or Artemis!DAxxxx (sorry I dont recall the number).
Hope that helps.
goosea - 4 years ago
hi,
if you need help, send me an encrypt vvv file and I will decode it.
goose
we are legion
l4cky - 4 years ago
Hi Goosea,
how do I send my files to you? which files do you need?
vilhavekktesla - 4 years ago
Hi Goose or Goosea. Would you care to explain how you decrypt the files?
siemensturbo1 - 4 years ago
Hi Gooseea
On Sunday I will have files to send to you
goosea - 4 years ago
Sure,
call me goose ;)
I will decrypt your files
alejandrorm - 4 years ago
Hi goose can i send u a file what ever file only with the ext .vvv?
suzubird - 4 years ago
Hi
i have 100000 file are infected with this virus and all of them have been vvv extension
i need a help to recover my files :(
i removed the virus but files are encrypted now
roberto96 - 4 years ago
thanks to goosea i decrypt my file!
suzubird - 4 years ago
Hi,
i want also decrypt my files goosea
how can ?
Motobecs - 4 years ago
Does someone have a issue to decrypt my file? Goose . Can i send you file ?
vireczek - 4 years ago
If I may suggest. @Goose - as you are the only one now who can help. Could you share how to do it by our selves, so we can spread this cure and also help others? I would like to use your help, but sending and decripting like 10GB of files seems like a lot of work, so maybe (?) it is possible to share the cure? If for some reasons not - please let me where to send you the files and If you can really help?
Goose - 4 years ago
hi,
you can send me only a file, then I try to find the key, if its ok I send you an exe to decrypt all your files by yourself
Bluishday - 4 years ago
Goose! I just send you a message. Thank u!
suzubird - 4 years ago
hi goose
how can we can a send one file to you? and which file type can i send to u ?
grateful to ur cooperative
Lawrence Abrams - 4 years ago
Goose, I suggest you just send them instructions on how to use tesladecoder instead to lock and load the key rather than sending another executable. I know I personally wouldnt run an exe from someone I didnt know.
Goose - 4 years ago
Hi,
Its not tesla decoder, for the moment its only my pc with cryptho lib. Some of you sent me infect file at goose@free.fr then I try to decode them if its ok I sent a personalize exe in order to decrypt the files. If you dontt want to run an exe I will send you the crypt key but I dont know if you can use it ...
suzubird - 4 years ago
Goose , I sent file
thx alot
vilhavekktesla - 4 years ago
goose, I suggest you send Grinler some info on the method with PM and not on this forum. He could be a help for you both to distribute the solution and maybe other issues too. As Grinler says unless we are desperate we do not want to run any exe-files :) Cant be too paranoid, sorry. I do appreciate what you are doing by the way. I assume one of the smaples you got was from viru sd and that you found a way to open the data and decrypt. I do not have an environment available which I concider safe enough at the moment so I have not tried to open infected files yet.
An normal virus is ok, but a program that could be launched without telling ad start encrypting files. Im thinking of running such things on Linux or even Linux live CD to see how things are. I think I can find a program to load a Windows registry hive from the files in a safe manner, and if I find anything I can send you the retrieved keys or something. Right now this is a steep learning curve and in November this was not my December plans :)
Lawrence Abrams - 4 years ago
I know the method and have pmed many people on what to do. If anyone wants to know they should send me a message and I will be happy to explain.
In fact the link to the method was already posted in one of the comments.
Zeenia - 4 years ago
I am a teacher and I desperately need my important data and lectures get back in normal from this .vvv extension. Please help me out in this regard. Ill be extremely grateful.
DaliPiero - 4 years ago
Please how I can send you an example of my file encrypted (.vvv)?
Motobecs - 4 years ago
Thanks for help ! I just sent you a message .
hasamy - 4 years ago
Hi Goose
i sent you a message but how can i do to send you a file ?
thanks a lot
siemensturbo1 - 4 years ago
Hi goose
How can you send files please?
thanks
VeronikaBilkova - 4 years ago
The same problem here. I have managed to remove the virus through SpyHunter but the files (all my files) seem to be lost.
Some of you mention how ugly this is. Actually, it is not solely ugly, it is criminal. I am going to file a criminal complaint against an unknown perpetrator (that is the official title) and submit it to the police tomorrow, as the destruction of data together with extortion clearly is a criminal offence under the law of my country (Czech Republic).
I encourage all of you to do the same in your respective countries. Internet criminality knows no borders and those responsible for this crime can only be caught if police forces of several countries are involved. And if we want to stop this, we should do more than just discussing the issue here.
vilhavekktesla - 4 years ago
Hi, I certeinly agree with you.
I am also going to file a formal complaint to both the Autority and the Police.
I have tried to get in contact with the Police to discuss this issue in technical terms, but no luck yet. I plan to continue the effort in January. By the way there was a big razzia in several European cities and places last week. The news papers says hackers, but Im not sure how informed the journalists are at the moment. It was the case from 2013 all over the world that got me to this site in the first place :)
suzubird - 4 years ago
hi goose
how can we can a send one file to you? and which file type can i send to u ?
grateful to ur cooperative
Lawrence Abrams - 4 years ago
Sent whoever posted a comment a PM with instructions.
Flazh93 - 4 years ago
Hey pls send me the instruction.
Amnasr56 - 4 years ago
Hello . Can u help me to decode my files from .vvv
JimmyIMMORTAL - 4 years ago
Im facing the same problem, wondering if theres any self guides to decrypt the files. Cheers.
hadizeid - 4 years ago
Hi Goose
i am facing the same issue. where can i send you the files?
Goose - 4 years ago
Sorry for the delay,
I need to improve the code, I dont forget you.
Im testing a new version with the files you sent me (some can be decode now, other still not)
keep in touch
G.
hadizeid - 4 years ago
Where can we send you files?
Thanks
dmnoor - 4 years ago
goose, I need your help to decrypt my files
I send encrypted file, please give me your decrypter
very very thank you...
great job goose...
zilion - 4 years ago
Helle all !
We also have been infected with .vvv extension ...
Someone have find the solution to decrypt files ?
Thanks for help !
Regards
hasamy - 4 years ago
hello everybody to recover your keys install a software of recuperation of data and look for in relation to the date of attack two files: tmp* the first contains the certificate and the second contains the private key.
good luck
hasamy - 4 years ago
after to decrypter... ? I didnt succeed in making it with TeslaDecrypter.exe nor with TeslaCrak.py. private key encoded ?
DieBaasMan - 4 years ago
Hi Goose.
I have sent you an email with encrypted jpg (.vvv) .
Can you please assist as my dear old parents managed to get infected by this and they dont have money to pay that absurd ransom.
Regards
daroul - 4 years ago
Hi Gosse
Can u help me to decode my files from .vvv .
If yes where can i send you the files?
Regards
Motobecs - 4 years ago
Big thanks to Goose ! It worked perfectly !!!
alejandrorm - 4 years ago
Goose, is the MAN!!!!!!!!!
zilion - 4 years ago
hi all,
someone have find a solution to decrypt files please ?!
Thx
wacobraco - 4 years ago
Hi Goose. Would be eternally grateful if you could help me too. Where can i send you files please?
jluu - 4 years ago
Please note that the procedure outlined here: https://github.com/Googulator/TeslaCrack
works for recovering files with the .vvv variant of teslacrypt.
Youll need to install python 2.7, pycrypto and yafu
DieBaasMan - 4 years ago
Removed comment. Dont want to give hackers any info that might assist them in upgrading their virus.
Would just love to get my parents photos decrypted. Can anyone send me instructions via PM.
jluu - 4 years ago
Do you mean that some pigs should be more equal than others ? For the good of us all of course.
NightbirD - 4 years ago
...it seems quite hard to do..., ive downloaded & installed the programs, but..., the guides that ive found are really cryptic writed for most of common users.., i really need help, ive lost everything. My system is Windows 7 Ultimate x64. Thank a lot in advance.
CraigWiggins - 4 years ago
Ive been following the procedure you outline. As you said, msieve is very slow- even on a dedicated machine. After almost 20 hours, Im at 9565 relations out of more than 300k. I was trying to use factmsieve.py. But the script runs with no output and no error and ends in just a second or two. I suspect that is not what should happen. :) Im willing to wait out msieve.exe (on Windows, obviously), but if I can speed up the process, that would be fantastic too. Hope you or someone can offer some advice. Still happy to have a solution in the works, even if I have to wait.
Lawrence Abrams - 4 years ago
Personally, I prefer yafu. Runs much faster and can utilize each of the hyperthreaded processors on your computer using the -threads argument
CraigWiggins - 4 years ago
I probably would too, but Im new to all of these tools, so still sorting out how to even get yafu to do what I need. I understand in principle what is going on, but Im like all thumbs with the tools.
rocker1984 - 4 years ago
I run teslacrack.py (double click) with a PDF file in the folder but the black window closes quickly. I assume I dont have to edit any PY file. Pleaseeeeeeee helpppppppppppppppppppp! = )
rocker1984 - 4 years ago
I got a KEY! For someone newbie like me go to Start Menu/Python/IDLE Python GUI , then open teslacrack.py then run and Run module. Now I must run yafu but I dont know how to do this: msieve -v -e 0x 309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E
NightbirD - 4 years ago
Hi, im lost in darknessssss!, if youre newbie ive just not borned yet!!!!! Would you like to share the steps youve done to arrive at this point? The problem is that i cant even run properly the teslacrack, the cmd window just close inmediatelly after executed. I understand the secrecy in order to avoid those tesla criminals from develope more agressive codes, but ive lost all my files & this just ruined all my work. I dont know where to find a real step by step procedure, this programming universe is very cryptic. Thx a lot in advance to anyone that could help. & forgive my absolute ignorance.
rocker1984 - 4 years ago
This are my newbie steps in windows 7, I hope can help someone, I couldt decrypt my file = (
*download teslacrack https://github.com/Googulator/TeslaCrack and copy only the files to c:\tesla
*Download yafu here http://sourceforge.net/projects/yafu/ and copy files to same folder
*copy one pdf file in same folder and rename to file so Its... file.pdf.vvv
*download and install python here https://www.python.org/downloads/release/python-2711/ click on Windows x86-64 MSI installer
*go to c:\ then tesla and right click on teslacrack and edit with IDLE
*go to run----run module
Cannot decrypt ./file.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E found in ./file.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
A389E43973580803F9423874E9759CA9C3BE42F57703D65F31A65DFBBB8A3727456ED6AE817065F884AB1EA202D9E0A7590AF0BAD4DE1B066EBA4DB650E7DA71 found in ./file.pdf.vvv
*copy the key after using msieve: xxxxxxxx in my case 309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E
*go to mypc--- c:\---tesla and run yafu-win32 or x64, right click on title---properties---and click on quick edition mode
*copy in memory the key and write in yafu factor(0x and then right click so key is pasted. Close with an ) without any space.
*after 10 seconds.....10 seconds??? it give me (select and right click to copy):
P1 = 2
P2 = 47
P3 = 487
P4 = 5119
P4 = 5171
P4 = 7307
P7 = 1555033
P14 = 36629693335843
P22 = 3770793876753716853457
P22 = 6536247666175416083969
P20 = 79691269352915940479
P23 = 17489578496932654679051
P33 = 146939104699501292198851444432439
*go to Start menu, search for cmd
*right click on title---properties---and click on quick edition mode
*write c:\tesla\unfactor.py c:\tesla\file.pdf.vvv leave an space at the end and copy your factors 2 47 487 5119 5171 7307 1555033 36629693335843 3770793876753716853457 79691269352915940479 6536247666175416083969 17489578496932654679051 146939104699501292198851444432439 and hit enter
*result: Candidate AES private key: b\x9d\x9b\xc7\x44\x78\xc0\x09\x94\x90\x63\x28\xb8\x94\x8b\xfc\x52\x4e\xc9\x06\x29\xeb\x1a\x52\xa1\xc8\x7b\x7a\x16\x29\xca\xc8\x79 (9D9BC74478C00994906328B8948BFC524EC90629EB1A52A1C87B7A1629CAC879)
*go to c:\----tesla---right click on teslacrack.py----- edit with IDLE
*well.... so far for me....I copied the key above the others in similar format (in known_keys = ) ....its...very short....about 50%. Go to Run...Run module...ok to save and.........
Cannot decrypt ./file.pdf.vvv, unknown key bla bla blaaaa OUCH!!!
VirusD - 4 years ago
It sounds like you didnt include the public and private key in teslacrack.py.
If you public key is 309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E
And if your private key is
b\x9d\x9b\xc7\x44\x78\xc0\x09\x94\x90\x63\x28\xb8\x94\x8b\xfc\x52\x4e\xc9\x06\x29\xeb\x1a\x52\xa1\xc8\x7b\x7a\x16\x29\xca\xc8\x79 (9D9BC74478C00994906328B8948BFC524EC90629EB1A52A1C87B7A1629CAC879)
Then your appended entry in teslacrack.py should be as follows:
309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E: b\x9d\x9b\xc7\x44\x78\xc0\x09\x94\x90\x63\x28\xb8\x94\x8b\xfc\x52\x4e\xc9\x06\x29\xeb\x1a\x52\xa1\xc8\x7b\x7a\x16\x29\xca\xc8\x79,
VirusD - 4 years ago
Also, these forum postings appear to remove apostrophes. Insert them where necessary in order to match the other entries.
VirusD - 4 years ago
Before running your script on all of c:, try it out on a specific folder first because going back and deleting incorrectly decrypted files can be a nightmare.
To try the script on a directory, just run the command teslacrack.py c:\somespecificdirectory
Goose - 4 years ago
ouch,
this code is good, it should work. Remove the header checker its useless.
Also a generic extension will be better.
Msieve not good enough, Yafu is better.
hope hacker wont see this post bcause a new version of tesla will rise, and will be more difficult to kill.
suzubird - 4 years ago
Gratefully to Goose
many many many many thx a lot
all my files are return to me
^_^ ^_^ ^____________________________^
My Allah bless you Goose and bright ur life
beria - 4 years ago
Can you please help me too? Im desparate.. those files that are left encrypted after deleting the virus itself are way valuable..
thanks
lukazz - 4 years ago
Goose I need your help!!
Ive sent an email with one file infected. Could you do something?
Thank you very much man!!! You are great!
manholas - 4 years ago
Im files with all encrypt ext .VVV what can I do to resolve the situation? I need your help
suzubird - 4 years ago
Gratefully to Goose
many many many many thx a lot
all my files are return to me
^_^ ^_^ ^____________________________^
My Allah bless you Goose and bright ur life
manholas - 4 years ago
Very, very ,very thanks for the Goose.
Goose a president
Goose we need your help.
daroul - 4 years ago
Hi Goose
please i need help also, what schould i doo.
deserg - 4 years ago
Solution from Goose working to me as well! Many thanks.
Wish you a merriest Christmas ever.
My PC was infected with latest version of the virus (v8) with encryption RSA-4096 and .vvv files as result.
daroul - 4 years ago
Hi all,
can someone please help me to decrypt .vvv files
manholas - 4 years ago
@Goose send you an email (goose@free.fr) with an encrypted file .vvv
Really need your help.
My email : soccerpedro....
Thanks for your help
Coati069 - 4 years ago
Hi @Goose,
Ive just sent you an email with an encrypted file too.
Thank you so much for your help ! You are my last hope
Merci ! :-)
beria - 4 years ago
Anyone have a decryption tool? I really need your help.. all my files are changed to .vvv ironically on the day I was going to back them up :///
nabook1 - 4 years ago
Goose send you an email (goose@free.fr) with an encrypted file .vvv
Really need your help.
My email : nabook1....
thank you for all
hza2010 - 4 years ago
how did you guys recover the .vvv files.. plz somebody help. My system is also infected and i want to recover my files.
jluu - 4 years ago
I will publish the program once I have written it and proven its worth on my files, a few days likely.
hasamy - 4 years ago
Goose you are the best !!!
T es le meilleur ! n ayant pas peur des mots !
Mille mercis !!!
Matiasmai - 4 years ago
Hi, Goose, i send an email to you, with the infected file, one of the 250000 of my entire life infected.... i hope you can help me... thanks anyway....
DieBaasMan - 4 years ago
Thanks to jluu and goose.
I managed to unlock my parents photos
I dont want to go into much info on how its done, on a public page.
Since I just followed instructions and dont want to give the hackers any information that can assist them in making their virus stronger.
Thanks you guys are heroes.
beria - 4 years ago
Please help me too :// I really have to have those files that got encrypted
lukazz - 4 years ago
Hi DieBaasMan... Could you help please? I have the same problem.
Thanks!!
manholas - 4 years ago
DieBaasMan I need your help.
PeterTheF0x - 4 years ago
Hi DieBaasMan, where did you find the instructions to decrypt your files ? Thanks for your help.
wacobraco - 4 years ago
Hi Goose.
I was wondering if you could possibly help me out too - my computer was infected with the .vvv strain of this virus and i have until the 27th before the ransom goes up to $1000 - i cant even afford the $500... :(
If you are able to help me i would be more than happy to donate to you as thanks for your hard work.
I tried your email address but it doesnt work.
Mayara - 4 years ago
Hi all, im desperate, can someone please help me to decrypt .vvv files with encryption RSA-4096 on my fathers pc. The computer has been cleaned with an antivirus.
Merci davance....
hza2010 - 4 years ago
DieBaasMan plz share with me how you got your files recovered. can u send me a private msg?
Goose - 4 years ago
Hi,
Im trying to help all of you, but its really hard as a lot of people are infected.
You can use this tuto to decrypt your files : https://github.com/Googulator/TeslaCrack
Googulator made a wonderfull job in his tuto.
Im still working on a decrypt tool, because I have issue with mine (some files are decrypt in less a minute, some never...). Now Its christmas and I have to leave. I wont be very responsive this followings days.
merry christmas and happy new year to all.
Best wishes.
G.
PeterTheF0x - 4 years ago
Hi Goose,
Ive send a mail to you last night , but today with the page youve mentioned I was capable to decrypt all important file some other files are still encrypted, so Im now running the process again to find the new keys. they are looking stronger.
Does anyone know if we can share the key we have already found ?
Lawrence Abrams - 4 years ago
Keys are unique to your computer. No need to share.
DaliPiero - 4 years ago
Please how I can send you (@Groose) an attached fine with an example of my encrypted file (.vvv)?
Lawrence Abrams - 4 years ago
I appreciate anyone trying to help, but any comments where people attempt to charge for decrypting the VVV files will be deleted automatically. The link to the decryption instructions have already been posted on this page and are freely available to everyone.
There is also no need to create new executables for decrypting the files. Just follow the instructions and use unfactor-ecdsa.py at the end to retrieve a key that can be used in TeslaDecoder.
Johnss87 - 4 years ago
I just decrypted all my files in Windows 7 with the key the Goose sent me!
Goose you the best thanks again!
khiriel - 4 years ago
Hello,
First many thanks to help us.
im a french user and i follow the googulator tutoriel but in the sept 4 i have an error with the doctype HTML when i run teslacrack.py.
Someone has the same problem.
Thanks for your help
jluu - 4 years ago
Hello,
First many thanks to help us.
im a french user and i follow the googulator tutoriel but in the sept 4 i have an error with the doctype HTML when i run teslacrack.py.
Someone has the same problem.
Thanks for your help
Need more details on the problem, pls copy what you see on screen.
khiriel - 4 years ago
C:\Teslacrack>python teslacrack.py
File teslacrack.py, line 5
<!DOCTYPE html>
^
SyntaxError: invalid syntax
its the error on command prompt !
Thanks to help me !
jluu - 4 years ago
You did not do a good download of the script, when you do issue command
type teslacrack.py
first line should be
# TeslaCrypt cracker
rocker1984 - 4 years ago
After a loooooooot of google I got a key! Now how can I use yafu to do this step msieve -v -e 0x309B68E5CFB656197DFED98A29F429279E6E8F41E0BEE2E2B12A384830B8851BCDC910BCCC422CE31B3C05AC4404800C32153ECD871DA574A04E3C441C47666E
VirusD - 4 years ago
From command prompt, browse to the location of msieve and use your added parameters there. You dont need to use Yafu.
khiriel - 4 years ago
Thanks,
im sorry for this ridiculous question.
Have a good day
khiriel - 4 years ago
i have this error when i launch the teslacrack.py :
Cannot access ./config/systemprofile/AppData/Local/Microsoft/Windows/INetCache/Content.IE5
i have access denied to :
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
i have Windows 10 64 bits and i am an administrator.
I launch command prompt in administrator.
i dont understand why i have not full access ...
manholas - 4 years ago
@Goose you are the BEST
Now, really, GOOSE for president
Thanks for your help, it work perfectly.
I and my son thank you and we wish you a Merry Christmas. Thank you for your work
nabook1 - 4 years ago
hi GOOSE You forgot me ??
Goose - 4 years ago
Sorry, send me your file by email
Thks
g.
nabook1 - 4 years ago
תרגם
.I Have been sent to you 2 days ago
What is your e-mail I will send back ..
linjun85 - 4 years ago
Hi Goose, I have sent you a email. Could you send me a .exe program to help me decrypt my files which infected with .vvv extension.
manholas - 4 years ago
@DieBaasMan Thank you for your cooperation .I and my son we appreciate your gesture, a happy Christmas. Thank you.
-------------------------------------- +++++++ ------------------------------
I take the time to thank BleepingComputer and the whole structure of this space. Thanks for everything.
To all a Merry Christmas
Bluishday - 4 years ago
Hi Goose! Im a little desperate right now :(, few days ago I sent an encrypted PDF file and hope you can help me. Thank u a lot for this.
Johnss87 - 4 years ago
I have Teslacrypt encrypted .doc.vvv and unencrypted .doc of the same exact file if that can help anyone trying to figure this out?
n99coca - 4 years ago
Hi Goose,
Please help me, my hard disk all file auto changed to vvv file type. Can you help me to encrypt. Thanks
DexMike - 4 years ago
Hi, question: Im currently unencrypting my files. following Googlenators tutorial, I configured the magic number to work with JPEGs, does this mean that I need to repeat all steps for each type of file? Or when Im unencrypting is it going to unencrypt all of my files?
Goose - 4 years ago
No, as soon you have the key from one file, you can decode all your files
Ingleburt - 4 years ago
No, as soon you have the key from one file, you can decode all your files
How do I get the Key for one file?
hasamy - 4 years ago
in file head infected the second key 128 caracters
like this : 085B43E8BB797455E7F279AC620D9C4B7B41C34F4C9B18066DF8118F65A11D865165D556D9C894253F5F546DE4BA062EA6EFA80AD16DD7A93DE925AACD772111
if not use the teslacrack of googulator
hasamy - 4 years ago
you open the file with worpad
dmnoor - 4 years ago
Hi Goose, please help me, I have been sent file to your email (goose@free.fr) 3 days ago, can you, please, to discover my private key decrypter, thank you very much for your hard work and your help, may ALLAH bless you.
lanmi13 - 4 years ago
@DieBaasMan Thanks again for your help and explanation of googulator instructions. That was very useful for me.
Duergar - 4 years ago
Hi, I dont seem to be able to use the tutorial to resuce my files. I installed Python27, but when I install msieve152.exe it first required a missing dll. After Fixing that the installer wont start at all. All my personal photos, selfwritten rolepay-material etc. is corrupted with the .vvv-extension. Argh. (And yes, I should have been more careful with having a far from ancient backup *sigh*)
rocker1984 - 4 years ago
same problem here, thats why Im asking how to use yafu
nabook1 - 4 years ago
how i try to yafu ?? how workin what i type yafu -v -e x0 ?? my msive working 2 day but not have any key ..
please help me ... and after what i do ??
Flazh93 - 4 years ago
factor(0xyour Hex) for instance factor(0xE3A7B)
nabook1 - 4 years ago
ty flazh93
AZEEE - 4 years ago
HI ,after launching msieve how do I regconise the key ? please help
VirusD - 4 years ago
Your file has been decrypted.
Please check your PM.
hadizeid - 4 years ago
It took 2 days for the key to be generated, but finally sorted out.
finally i was capable of decrypting my files using https://github.com/Googulator/TeslaCrack
Flazh93 - 4 years ago
could anyone run msieve with that hex-string: E836ECC94557FB79A6E71D7AEA4867D688686C06503E854F6B6AEAC0CAA1B9577A6DCE5A7C1E28E5329A03E09C9353BD2BC2FEA9F1F100C7DA19DF79D972969F. i dont get the right factors using yafu. That would be great
nabook1 - 4 years ago
How long do I get the code ??
Flazh93 - 4 years ago
i dont know the procedure with Teslacrack didn´t work for me
hadizeid - 4 years ago
check out my PM
nabook1 - 4 years ago
how i put the factors on unfactor.py ?? command line ?? i need to private key ..
this is my factors from yafu
***factors found***
P1 = 2
P1 = 7
P5 = 65393
P7 = 1051559
P10 = 2692681889
P13 = 1244117519257
P119 = 8953178724446526801999913274706761026203957529272229791557097312142192140
VirusD - 4 years ago
command prompt: unfactor.py filename.of.vvv.file 2 7 65393 1051559 1051559 2692681889 1244117519257 8953178724446526801999913274706761026203957529272229791557097312142192140
nabook1 - 4 years ago
ty virusD
rocker1984 - 4 years ago
It give me syntaxix error in shell, where I must do this?
>>> python unfactor.py 2 47 487 5119 5171 7307 1555033 36629693335843 79691269352915940479 3770793876753716853457 6536247666175416083969 146939104699501292198851444432439 174895784969326546790512
SyntaxError: invalid syntax
VirusD - 4 years ago
Sorry, you need to include the path and filename in between unfactor.py and the first prime number. Like below:
unfactor.py filename.of.vvv.file 2 7 65393 1051559 1051559 2692681889 1244117519257 8953178724446526801999913274706761026203957529272229791557097312142192140
rocker1984 - 4 years ago
same error, definitly its not my thing...= (
http://oi66.tinypic.com/2mwxjl1.jpg
VirusD - 4 years ago
Run the command in Windows command prompt, not python shell.
And remove the word python.
Johnss87 - 4 years ago
Instructions for decrypting all your files in Windows 7
*** When you already have the key that Goose sent you ***
https://www.python.org/downloads/
1.) Download--> Python 2.7.11 *Dont forget to add PATH (remove last RED X) when installing.
http://www.voidspace.org.uk/python/modules.shtml
2.) Download--> PyCrypto 2.3 for 32bit Windows and Python 2.7 (.zip)
3.) https://github.com/Googulator/TeslaCrack/blob/master/teslacrack.py
[click RAW] then right click > save as > teslacrack (save it inside of the C:\Python27)
Right click > teslacrack.py click Edit with IDLE
Now add the decryption key to---> known_keys = { add it HERE
Then you can start phython command line and type---> python teslacrack.py C:\
you will see all files decrypting in the command (black) window
Done! :)
Johnss87 - 4 years ago
THANKS GOOSE YOU ARE THE BEST! :)
AZEEE - 4 years ago
p1 factor: 7
p2 factor: 11
p3 factor: 577
p4 factor: 3067
prp14 factor: 1992504724449 prp22 factor: 1245192058390898950459
c110 factor: 73312637844947155486748688438476316932766529753351342101103772615991312079719653226723580661021626773875806009
THESe ARE MY FACTOR , PLEASE CAN SOMEONE HELP ME TO WRITE THE COMMAND LINE . FILE NAME catacy.pdf.vvv
rocker1984 - 4 years ago
same problem here....
It give me syntaxix error in shell, where I must do this?
>>> python unfactor.py 2 47 487 5119 5171 7307 1555033 36629693335843 79691269352915940479 3770793876753716853457 6536247666175416083969 146939104699501292198851444432439 174895784969326546790512
SyntaxError: invalid syntax
VirusD - 4 years ago
unfactor.py catacy.pdf.vvv 7 11 577 3067 1992504724449 1245192058390898950459 73312637844947155486748688438476316932766529753351342101103772615991312079719653226723580661021626773875806009
That is assuming that your current working directory is where both unfactor.py and catacy.pdf.vvv are. Otherwise, you can use the full path.
c:\some directory\unfactor.py c:\some other directory\catacy.pdf.vvv 7 11 577 3067 1992504724449 1245192058390898950459 73312637844947155486748688438476316932766529753351342101103772615991312079719653226723580661021626773875806009
AZEEE - 4 years ago
PLEASE GOOSE , I HAVE SEND YOU A FILE, HELP ME TO FIND THE KEY PLEASE
hza2010 - 4 years ago
did any one figure out how to fix the missing pthreadgc.dll error when we run MSIEVE
VirusD - 4 years ago
Yes. I downloaded the dll from http://www.dll-files.com/dllindex/dll-files.shtml?pthreadgc2 and then placed the dll file in the same directory as MSIEVE.
Lawrence Abrams - 4 years ago
Your better off just downloading the msieve-gpu zip, which contains the pthread dll you need.
http://downloads.sourceforge.net/project/msieve/msieve/Msieve%20v1.52/msieve152_gpu.zip?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fmsieve%2Ffiles%2Fmsieve%2FMsieve%2520v1.52%2F&ts=1451059994&use_mirror=skylineservers
callak - 4 years ago
Joy, my mother who is visiting for Christmas got my entire network infected trying to watch videos off the internet. .vvv extention
Luckily, I shut off the pc she was using after I got home from work, but still the other 2 computers Ive got connected were messed up somewhat, less than 1000 files, but they mainly videos which would be difficult to replace.
I tried running Python and all that stuff, but pretty sure Im doing something wrong to fix the issues. So if anyone could help me, that would be great.
xXToffeeXx - 4 years ago
What problems are you experiencing?
Flazh93 - 4 years ago
if anyone needs help write a message
susnath - 4 years ago
Hi Goose, I have sent you the sample infected files. Could you please help me ???
adrid - 4 years ago
Thanks Goose for your help :) your tool works perfectly I was able to decrypt my full hard drive.
Merci encore pour ta précieuse aide !!!
Flazh93 - 4 years ago
could anyone pls factoring this one: 085B43E8BB797455E7F279AC620D9C4B7B41C34F4C9B18066DF8118F65A11D865165D556D9C894253F5F546DE4BA062EA6EFA80AD16DD7A93DE925AACD772111
i tried yafu and msieve but no result.
thx alot
VirusD - 4 years ago
Can you PM me a link to your vvv file?
hasamy - 4 years ago
Hello Flazh93
it works it takes at least 2 hours
c:\msieve\msieve -v -e 0xyour key
c:\yafu\yafu factor(0xyour key)
Flazh93 - 4 years ago
yeah i know how it works, i already farctorized one hexcode with success. But wehn i tried this one yafu closed after two hours without putting out the primes
hasamy - 4 years ago
is it the first or the second key in header off your file infected ?
Flazh93 - 4 years ago
second
hasamy - 4 years ago
ok it works ... 54 of 904 curves ...
hasamy - 4 years ago
for 35 digit factors
daroul - 4 years ago
Hello everyone
I run msieve 10 hours ago and completed only until now 34 of 904 curve, Can someone tell me if this is norma !!!
VirusD - 4 years ago
Normal, no. Possible, yes.
Mind PMing me a link to your vvv file?
daroul - 4 years ago
Hellp VirusD
how to do it?
VirusD - 4 years ago
You can use something like https://www.wetransfer.com/ to temporarily upload a file and send the URL to whomever you wish.
daroul - 4 years ago
Hello VirusD
I just have send to you link of my vvv file please check if you can help me.
Thnks ind advance
VirusD - 4 years ago
Decryption finished, please check your PM.
Ingleburt - 4 years ago
Decryption finished, please check your PM.
Hi VirusD. Would you share the Method for decrypting the file?
superspacecat - 4 years ago
I got this virus last week with the vvv file extensions. Would anyone be able to help me with the decryption?
Thank you!
beria - 4 years ago
Goose please help me too :)) Can I send you an e-mail? please PM me your address. I know a lot of people are asking the same but Im still waiting for your answer too.
AZEEE - 4 years ago
I have a problem when launching yaku . thr write no switch found please help
C:\Users\T-EGOKO\Desktop\yafu-1.34_3>yafu-Win32.exe -v 0x04BB7B6CF96A8C757D7E6C42D5EF876960323BD26103B819817E5E72F5F2F39D09C63BFA71BF3C443B8C4BB613DCA9DC86F70F81EB6B4D73C64F94086DCB232D
no switch detected
Flazh93 - 4 years ago
type in : factor(0x04BB7B6CF96A8C757D7E6C42D5EF876960323BD26103B819817E5E72F5F2F39D09C63BFA71BF3C443B8C4BB613DCA9DC86F70F81EB6B4D73C64F94086DCB232D)
AZEEE - 4 years ago
thanks
Molasar - 4 years ago
Goose, I have sent you a PM with a question.
DeaK87 - 4 years ago
I have the same problem like khiriel , someone can help me? what im doing wrong? i get:
File teslacrack.py, line 5
!DOCTYPE html
^
SyntaxError: invalid syntax
Edit: Problem solved, now factoring!
VirusD - 4 years ago
Use command prompt, not python shell.
hasamy - 4 years ago
anyone know where to download factmsieve ? compatible with Python 2.7 thanks
VirusD - 4 years ago
I googled it a few hours ago and tried different versions of it, but when I finally got it to work with CUDA, it was far slower at sieving. I eventually called it quits with that route.
If thats the direction youre heading towards, good luck.
Here are the two files I used:
http://www.starreloaders.com/edhall/AliWin/factmsievempi.py
https://github.com/GDSSecurity/cloud-and-control/blob/master/scripts/gengnfsjob-testharness/factmsieve.74.py
n99coca - 4 years ago
Hi hadizeid & all brothers,
please help me, after install python2.7 and teslacrack.py & unfactory.py. i dont know the procedure and how to run with Teslacrack to find the decryption key? thanks
hadizeid - 4 years ago
if you have any pdf or any affected file, share it privately and will help you
AZEEE - 4 years ago
VirusD can you write you Email so that a should send my file .please
hadizeid - 4 years ago
upload on Dropbox or we-transfer etc..., and share the link in a PM
VirusD - 4 years ago
Dropbox or WeTransfer would be preferable.
Sebi79 - 4 years ago
Hi VirusD,
can u help me too. Can i upload different type of vvv files and pm you the link?
thx,
Sebi
VirusD - 4 years ago
Sure.
VirusD - 4 years ago
Your files have been decrypted. There were two sets. Please check your PM.
n99coca - 4 years ago
del
n99coca - 4 years ago
Hi hadizeid ,
Many thanks for your support, but i dont know how to use PM function in here. Please help
susnath - 4 years ago
Click on hadizeid name ( highlighted in blue ). A new windows will open. Use the button send me a message to send PM
n99coca - 4 years ago
got it, i forget active account
thanks susnath
nabook1 - 4 years ago
who can help me ?? i uplaod now 1 pdf.vvv file please who can recive for me the private key
http://we.tl/TtI21VNs7i
hadizeid - 4 years ago
@nabook1
check your PM
GMThEMaN - 4 years ago
Hello people.
I have many files encrypted, but only one of them I need. Its an Excel file. Everything else I dont need. In fact, if I can get that Excel file decrypted, I will format my computer.
The thing is, I was trying that tutorial from https://github.com/Googulator/TeslaCrack, but I get errors, sometimes its because a .dll file is missing, or when I try to run the file teslacrack.py, a command windows opens and closes.
So is there anyone here that can decrypt my Excel file? Its just one file that I need.
VirusD - 4 years ago
Sure. If you really only care about the a single or a handful of excel files, I should be able to decrypt it for you and send it back your way. Upload the file(s) via WeTransfer or Dropbox and send me the the link in a PM.
GMThEMaN - 4 years ago
You have a PM. Many thanks for doing this for me.
VirusD - 4 years ago
Your file has been decrypted and info PMed to you.
Gwenguillaume - 4 years ago
Hi, Sorry for my English im French.
One of my friends are these files encrypted. I can decrypt 95% of files.
I could find the key in 2 hours.
5% of files are encrypted with a second key. I launched the same procedure. Yafu is running from 50 hours and not yet finish. The second key is 7C620587BD9C0E396F2FC0A5F7DBDFDFF7F2D22422B4623103174CC51D968747FDFD39F8563F2D4D36A545086F866B2C679480DBD0024CFC12031EC67BEF03AB
Is it normal that so long?
Can anyone help me please ?
Thanks.
Gwenguillaume - 4 years ago
Hi, VirusD,
Can you help me please ?
VirusD - 4 years ago
Sure, send me a link to some sample files and Ill try to help.
Gwenguillaume - 4 years ago
I have send the link in PM.
Thanks
susnath - 4 years ago
I was also having the same issue as GMThEMaN using windows 8.1 OS. With Windows 7 it worked perfectly for me. However there is a workaround for the issue. Edit the teslacrack.py with IDLE. Look for the line
def main(args):
path = .
Change the path to path = directory where you have your affected files stored
Save the file and Run the module. This should work. It worked for me.
If working, To delete the affected files in the same directory , change Delete = False to Delete = True ( this is just under known_file_magics = [\xde\xad\xbe\xef, \x00\x00\x00\x00] )
This way you can run the script directly from the editor.
VirusD - 4 years ago
Please be careful with the delete flag. If the decryption is done incorrectly and the vvv files are deleted in the process, well then... you might as well take your losses and end the recovery by decryption method.
susnath - 4 years ago
I agree with you VirusD, thats why I mentioned If working ... Its always wise to check if the decryption is happening as expected and then use the --delete switch.
susnath - 4 years ago
Anyone has a script to delete the how_recover+ybw.html and how_recover+ybw.txt files from all the folders? I am trying to search.........
VirusD - 4 years ago
In command prompt, type:
cd \
(enter)
del how_recover+ybw.* /f /s
(enter)
If you have other drives that were affected, change drive letters in command prompt first by typing d: or e: Whatever your desired drive letter is.
If you have network locations, map the network location first. Same concept.
If the encryption/infection spread from an administrator account, you could run the same list of commands, but in a command prompt in administrator mode.
hasamy - 4 years ago
Search how_recover* and ctrl A and delete
VirusD - 4 years ago
Depending on Windows settings, Windows may only display results for indexed locations if those files have been indexed at all.
susnath - 4 years ago
Thanks hasamy ... the easiest solution :)
susnath - 4 years ago
I am using powershell to do it
get-childitem D:\ -include how_recover+ybw.html,how_recover+ybw.txt -recurse | remove-item
nabook1 - 4 years ago
i have a bitcoin private key ... Can I do something with it and get the key to open the files ??
hadizeid - 4 years ago
@nabook1 did you check my PM
sorry i got a confusion in names, please ignore my comment
nabook1 - 4 years ago
sorry hadizeid
I do not understand what you are saying .. ... you can help me ??
DeaK87 - 4 years ago
Its normal that msieve takes so long? it showing in the prompt something like:
sieving in progress (press Ctrl-C to pause)
11481 relations (10168 full + 1313 combined from 589109 partial), need 306079
16 hours is the time thas is running in that stage/state,
VirusD - 4 years ago
Some of the sieving takes a few minutes and others take many hours, even days. It all depends on the generated number during initial encryption.
Using Yafu is pretty fast, but seemingly, crashes for the very large numbers. =/
DeaK87 - 4 years ago
virusD, can you PM me? its for ask you something,
VirusD - 4 years ago
I cant. Complete the activation of your account and PM me the question.
tommy313 - 4 years ago
Really doing what I can to tackle this myself, but continue to run into problems when using the Googulator instructions to find the AES Public key. Python and teslacrack.py problems galore.
Pastor at my church got hit, from an email spoofing my wifes email address of all people. I have 2 encrypted files but no bitcoin info, etc as someone already removed the actual bug. Is anyone able to review my file please? Thanks!
VirusD - 4 years ago
PM a link of the files to me and Ill try to help you.
VirusD - 4 years ago
Files decrpyted. Please check your PM.
NightbirD - 4 years ago
Hi VirusD. Ill send you 4 links of files for decrypt by PM, of course, do it if you have the time, & if you want to. Are the 4 extensions that the highjackers crypted, may be with just one could be enough for the entire restore process, i dont know. Trillon thx in advance. By the way, ive tryed the process of the coogolator web, with no success at all, is obvious that im deeply ignorant in many fields, for example, ive been reading all this thread & slowly discovered that is not the python shell, but the windows cmd shell the real tool for the command lines...., so..., a step by step guide would be greatfull. I could pay for your teaching, please do not take it bad, i believe that your time is super valuable, im not here for make you waste your time for free, or to demand nothing. Hope youre doin fine. Thx a lot.
kalmah - 4 years ago
Hi VirusD i sent you a PM hopefully you can help me, thank you a lot!
VirusD - 4 years ago
Files decrypted and teslacrack.py updated file uploaded. Check your PM.
Zeenia - 4 years ago
Virus D please help me to get my data back from .vvv extension. Thanks
Zeenia - 4 years ago
Help me
VirusD - 4 years ago
c0r3 - 4 years ago
VirusD, I wrote you a PM about being unable to get any factors for teslacrack but I wanted to also write here and say that youre doing great work! I can try to help by running YAFU/msieve or perhaps CADO-NFS on some keys as soon as Ive gotten the ones Im working on done (assuming I have everything set up correctly).
Again, great work!
c0r3 - 4 years ago
I got my key! Ill finish decrypting my friends stuff when Ive slept (its been a couple of all-nighters trying to get this going) but I can also help out if VirusD is getting swamped :)
VirusD - 4 years ago
Sounds good. c0r3 knows what he is doing, folks.
I am sure the community would not mind the additional help.
sid077 - 4 years ago
I am also a victim.
Removed all the traces and dont know how to decrypt the files.
And i found two notepad file with some Keys on it (File names: recover_file_yjfujcvag.txt ; recover_file_chhmnujrn.txt). Is there any use of this:
Content 1:
15a95DUWtxWKrcBB94XVzemqs4FG2DCRwX
46DC3715D51F3D0FC93AD90718983E345C33F4313F580FA8CC7CC11DB17D8EF8
0E2C5B18D6EE1D605A1DF8EC3A3BC3F053A1491C787E36D61B2177DCF55B469A74BFA4248D6517692CEEF3A72967AC57D96AF174033A0E2ADAD5A3F00E9F2378
10F186762A558061
97
Content 2:
15a95DUWtxWKrcBB94XVzemqs4FG2DCRwX
46DC3715D51F3D0FC93AD90718983E345C33F4313F580FA8CC7CC11DB17D8EF8
0E2C5B18D6EE1D605A1DF8EC3A3BC3F053A1491C787E36D61B2177DCF55B469A74BFA4248D6517692CEEF3A72967AC57D96AF174033A0E2ADAD5A3F00E9F2378
10F186762A558061
97
c0r3 - 4 years ago
are the encrypted files named ..vvv (like filename.pdf.vvv)? If you can share a link to a dropbox folder or similar where you put an encrypted file with a known filetype (PDF is easy) in a PM I can try to help
sid077 - 4 years ago
Sent PM.
sid077 - 4 years ago
c0r3 Actually I am unable to send PM. It seems i dont have permission to send PM.
VirusD - 4 years ago
You need to complete your account activation first.
sid077 - 4 years ago
Done! Now its working.
sid077 - 4 years ago
Sent PM!!
VirusD - 4 years ago
Your file has been decrypted and a new teslacrack.py file sent to you. Please check your PM.
Zeenia - 4 years ago
VirusD please help me to decrypt my important data that has been transformed into .vvv extension. Please help me.
hasamy - 4 years ago
Zeenia Your file has been decrypted and the line to add to teslacrack.py file sent to you.
sid077 - 4 years ago
Wow... Finally it worked!!..
98% of my files got decrytped. Excel files with more than 2MB is not working for me.
Great Job VirusD, you saved my life.
n99coca - 4 years ago
Hi hadizeid and all brothers
Thanks for your help. Now i trying to recover my file.
Would you mind to share how to generate encryption key procedures ?i want to try and help another victims . Thanks
VirusD - 4 years ago
I sent you a PM with a brief set of instructions.
n99coca - 4 years ago
Hi VirusD,
Thanks for your great help.
bebekrisss - 4 years ago
Hi VirusD,
i send you PM.
Please, can you help me?
VirusD - 4 years ago
Sure. On it.
VirusD - 4 years ago
Your files have been decrypted, please check your PM.
bebekrisss - 4 years ago
Hello VirusD,
Thank you. All my files is encrypted, without 2 very important to me.
I send him on PM.
Please for encrypt this 2 files!
You are God!
Pleaseeeeee
VirusD - 4 years ago
Done.
Check your PM for the second key.
bebekrisss - 4 years ago
Thank youuuu!
VirusD you are very very very big!
NightbirD - 4 years ago
Ive got to say that are people in this planet that really deserve much more than all we can dream, VirusD is one of those very, very few. The man helped me greatfully, incredibly & impressively through his skills & zen patience, & i don´t know what more can be said. VirusD, u tha human bro.
bryant08 - 4 years ago
With the information you provide is 4 days trying to recover my files but I can not. i upload three pdf files on wetransfer. please somebody help me
http://we.tl/XnuQJPdrAl
Already thank you everyone
c0r3 - 4 years ago
Ive got your key for the second file you shared, theres something odd about #1 and #3, Ill PM you and look into it
bryant08 - 4 years ago
c0r3 I am thankful to you.I get most of my files because of you. Thank you very much to be interested again.
pankajs - 4 years ago
New to this site, but glad to understand that someone found the solution to this .vvv files. Please, if i can also have one file decrypted.
c0r3 - 4 years ago
Put your file in a shared dropbox-folder or similar (wetransfer / Google Drive) and PM me the URL and I can take a look at it for you
pankajs - 4 years ago
Thank you, i did so
c0r3 - 4 years ago
Ive sent you a key and a modified script on PM
hasamy - 4 years ago
to help many of you to copy command prompt to the paper press .
Right-clic the dos window. then edit . Then select . mouse select and enter. then paste it into WordPad
dadou - 4 years ago
Hi,
my computer was also contaminated by a virus RSA - 4096 something like that all my files are now with .vvv extension. I tried with the teslacrack but I cant understand how to use it with pyton, if I send you files it possible to obtain the key to decrypt my others files and instruction how to do?
Thank you
c0r3 - 4 years ago
Can you share a couple of your encrypted vvv-files (for example a PDF.vvv-file) in a shared dropbox-folder or similar (wetransfer / Google Drive) and PM me or VirusD the URL
noxaxisvx - 4 years ago
Hi c0r3! Ive sent you a message containing a dropbox link of my .vvv files. If youre not too busy, can you see if they can be decrypted? Thanks a lot!
c0r3 - 4 years ago
noxaxisvx: Im on it
c0r3 - 4 years ago
Ive got your key, I sent you a PM
noxaxisvx - 4 years ago
Thank you so much!
VirusD - 4 years ago
Markfe, your files have been decrypted. Please check your PM.
NightbirD - 4 years ago
Hi Pal, i was wondering, dya sleep sometime?, are you many?, lol.., how you do it??
dadou - 4 years ago
VirusD I sent you a PM with my .vvv files can you please have a look on it when you will have time?
Thank you
VirusD - 4 years ago
Will do. Im going out right now. Ill try to help when I get back.
nabook1 - 4 years ago
Hello friends
i running msieve to bitcoin key
i have a bitcoin private key ...( 3AF0EE05FEDA7CA97.................)Can I do something with it ??
what i do now ??
pippo120 - 4 years ago
Hi nabook1,
I suggest you to use the public aes key , is it more easy to do in this way.
Hello friends
i running msieve to bitcoin key
i have a bitcoin private key ...( 3AF0EE05FEDA7CA97.................)Can I do something with it ??
what i do now ??
nabook1 - 4 years ago
hi pippo i tried publib key ....
I tried for a few days and it does not give me this
c0r3 - 4 years ago
nabook1: Ill take a look at your AES key
the bitcoin key is used differently, from what I can see that can be used with Talos TeslaDecrypt, I guess looking at that script would reveal more on how to use the BC-key there
nabook1 - 4 years ago
thanks
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
pippo120 - 4 years ago
I need some help, I used teslacrack to decrypt some files. I found two public and unfactor.py give me the correct private key.
I found a third public key for some .vvv files, but unfactor.py cannot give me the private key. I modify the magic number for jpeg format.
I found that the public key is smaller than the others. Someone could help me ?
c0r3 - 4 years ago
You need to pad the key with NULL-chars like this: ABABABABAB...BA+b\x00\x00 (quoted strings, the quotation marks get stripped here) in teslacrypt when the key is too short there but you mean unfactor and unfactor-ecdsa give no key at all?
pippo120 - 4 years ago
Hi c0r3,
the short key is the AES key from teslacrack:
Software has encountered the following unknown AES keys, please crack them first using msieve:
0107802EC44DADB6B4B377C108BF4BE4F28F8D5A6E3CE6CC442FF2902B0E2B88F4572E69F7BCED290E04441E11153E1A517BBF40B9354DD87BE036D68FA01E
This key is shorter than the first Ive found for decrypt another files: 0B6819C5F9E8516F1B53F9D04BC1E0E42AF5A59A5E10AED97AD846A2556C18ABCF847530C84657246030546DF1D163245EFC4EB2E511878185FCB61FBAD54984
The difference are two digits, if you compare the two numbers. May I pad with null-key ?
The answer of you question is yes, the unfactor.py give me no output.
---
The output of yafu:
yafu-x64 factor(0x0107802EC44DADB6B4B377C10
8BF4BE4F28F8D5A6E3CE6CC442FF2902B0E2B88F4572E69F7BCED290E04441E11153E1A517BBF40B
9354DD87BE036D68FA01E)
fac: factoring 21058124050004603018418311546536582858107999157883323782903732410
03956589415604462603725100360774004134897248440400821959750029299028102732252089
95870
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C149
rho: x^2 + 2, starting 1000 iterations on C149
rho: x^2 + 2, starting 1000 iterations on C142
rho: x^2 + 1, starting 1000 iterations on C142
pm1: starting B1 = 150K, B2 = gmp-ecm default on C142
ecm: 30/30 curves on C142, B1=2K, B2=gmp-ecm default
ecm: 74/74 curves on C142, B1=11K, B2=gmp-ecm default
ecm: 214/214 curves on C142, B1=50K, B2=gmp-ecm default, ETA: 0 sec
pm1: starting B1 = 3750K, B2 = gmp-ecm default on C142
ecm: 116/430 curves on C142, B1=250K, B2=gmp-ecm default, ETA: 4.2 min
ecm: 313/313 curves on C113, B1=250K, B2=gmp-ecm default, ETA: 1 sec
pm1: starting B1 = 15M, B2 = gmp-ecm default on C113
ecm: 170/781 curves on C113, B1=1M, B2=gmp-ecm default, ETA: 23.4 min
starting SIQS on c85: 1191817131198979708656776314350875744659392763947188353734
434174800367019059732921971
==== sieving in progress (1 thread): 59872 relations needed ====
==== Press ctrl-c to abort and save state ====
59675 rels found: 19856 full + 39819 from 605197 partial, (2034.07 rels/sec)
SIQS elapsed time = 314.5452 seconds.
Total factoring time = 1025.3717 seconds
***factors found***
P1 = 2
P1 = 5
P7 = 9466381
P29 = 37325120299798727813062749491
P29 = 50006315896415979575302726007
P38 = 75296326354111835743743187328514161821
P47 = 15828356958531697406641930783028239095850947151
ans = 1
c0r3 - 4 years ago
You then need to run python unfactor.py P1 = 2 5 9466381 37325120299798727813062749491 50006315896415979575302726007 75296326354111835743743187328514161821 15828356958531697406641930783028239095850947151
Sometimes python is invoked as python2 and on windows probably in a command shell. If unfactor gives no key, try unfactor-ecsda. Alternatively share one vvv-file with me and Ill look into it and modify a script for you
pippo120 - 4 years ago
Hi c0r3,
I try to use unfactor.py but it gives no output, then I try to use unfactory-ecdsa.py, it gives the private key but when I use teslacrack with the key, it gets me uknown AES key.
I send you in PM the file .vvv., can you give me a hand ? Thanks
Googulator - 4 years ago
Should be resolved in the latest update of TeslaCrack.
Vin001 - 4 years ago
Hi all,
I need some help as my files have been infected with the .vvv virus. I have read the Googulator but I am not a techie and didnt understand any of it and dont think I can generate the required keys...
Can someone please help?
Many thanks in advance...
Vin
VirusD - 4 years ago
PM me a link to your vvv file and Ill try to help.
supastylinboi - 4 years ago
Im thankful for this thread. I was using msieve, had it running for approximately 3 days, and it still hadnt factored the number.
Yafu factored it within minutes! (using the -threads option).
Apparently yafu doesnt build on OS X, but you can run the Windows binary with wine (you must download a copy of vcomp100.dll into ~/.wine/drive_c/windows/system32/)
supastylinboi - 4 years ago
Vin001 - 4 years ago
VirusD I sent you a PM with my .vvv files can you please have a look on it when you will have time?
Thank you
VirusD - 4 years ago
Im on it.
Vin001 - 4 years ago
VirusD, Ive shared the file so you should be able to access it now...thanks.
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
JJosep - 4 years ago
Dear all,
I have been also effected as part of this attack.
I have uploading 2 files with .vvv to the my google drive. Could you please let me know to whom can i share this with ? Or should i post it here
Thank you in advance
Mikka72 - 4 years ago
Could someone please give an example how to run yafu with threads switch
VirusD - 4 years ago
Edit the yafu.ini file found in the same directory.
Mikka72 - 4 years ago
Thank you VirusD. Im still getting stucked on Step5 in Googulator instructions. So it would be great if you get my keys faster than me.
Thank to you and to your mates , helping us at this issue
Here are again my sample .vvv files
http://we.tl/MI2PzwcN5z
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
JJosep - 4 years ago
VirusD, Ive shared the file to you,,,please help......thank you..
VirusD - 4 years ago
Sure thing. Im off to bed now and other keys are still processing. Ill start with yours tomorrow morning.
JJosep - 4 years ago
thank your feedback on this VirusD....
JJosep - 4 years ago
Good Morning VirusD,
Any luck or additional information please !
Are you able to decrypt the files and provide the updated teslacrack.py with the key included please ?
Thank you !
JJosep - 4 years ago
VirusD, any luck ? Were you able to decrypt the file ? Please feedback.
Files already shared via PM
c0r3 - 4 years ago
Not sure if anyone has started on your key - Im giving it a go right now (pausing a long-running key as yours look like quite short work)
VirusD - 4 years ago
I didnt start on this one yet. Hes on my #3 queue.
c0r3 - 4 years ago
jjosep: Sent you a PM with your key and a modified decrypting script.
JJosep - 4 years ago
@c0r3, thanks for your help to work on this and I was able to encrypt the .vvv files.
@ VirusD, thanks for sharing the task responsibility among you and c0r3.
JJosep - 4 years ago
How to avoid this kinds of attacks going forward ?? Is you suggest a specific anti virus name ? That would take of this ?? Please advise VirusD & c0r3
VirusD - 4 years ago
I tested this with three AVs.
Microsofts built in Windows Defender did nothing.
Avira Free worked just fine.
F-Secure worked just fine as well, but doesnt have a free option.
JJosep - 4 years ago
Thank you VirusD..
Once my system is restarted, I get the RSA-4096 message opened in Google Chrome browser on every restart, could you please advise to how this message could removed if possible ?
However all my files those were decrypted was encrypted back !
VirusD - 4 years ago
That comes from usually two files in the Startup folder in your start menu. You can remove them manually.
nowa44 - 4 years ago
Hi,
My PC was infected with TeslaCrypt with RSA-4096 encryption and now have 1000s of .vvv
encrypted files. Tried to follow for hours the excellent Googulators tutorial, but cant. Wish
to find out my own unique decryption key. I have just uploaded to WeTransfer four (small)
PDF.vvv sample files.
Can someone please help so I can get my original files back?
hasamy - 4 years ago
hi nowa pm pdf infected ill try to help
nowa44 - 4 years ago
Thanks hasamy, pm sent
Your kind help is much appreciated.
hasamy - 4 years ago
on it.
i provide you the private key. you can use teslacrack to decrypt all your files ?
nowa44 - 4 years ago
Thank you - for working on my private key. Not that technical to use teslacrack
and bit confused. Please can you help with detail instructions (or point to a guide)
that once I have my private key, how to decrypt all my .vvv files ?
hasamy - 4 years ago
Nowa you need python 2.7 from : https://www.python.org/downloads/
pcrypto 2.6 for python 2.7 from : http://www.voidspace.org.uk/python/modules.shtml
and teslacrack.py from : https://github.com/googulator/teslacrack
all of this in the same directory
msieve and unfactor is only to crack public key
nowa44 - 4 years ago
I am on Win7 x64 and have long time Python v3.4.3 (x64) installed, do I need to uninstall
and replace it with v2.7 ? or can have both on same system?
Got now the pcrypto 2.6 for python 2.7
Any luck with my decrypt key?
hasamy - 4 years ago
yes you can hv both on same system.
first you install python 2.7 and second pcrypto compatible whit it.
itl detect it autmatically
hasamy - 4 years ago
it works hard ... i need some hours.
my computer is not the fastest. snif :-(
hasamy - 4 years ago
i pm you instruction for teslacrack good luck !
nowa44 - 4 years ago
Thank you very much for the private key!
Not confident, not sure which lines to edit (or retain) in Googulator teslacrack.
Could you please pm me with link to telsacrack that have my private key inserted,
with only lines needed, so I can paste it to cmd and execute the teslacrack?
Be so grateful, cause if make bad mistake, I may not recover .vvv files.
rainbowx - 4 years ago
Hello!
Im bloked on the Public key factorization ...
I tried with msieve and yafu but not possible ...
If one people can help me and factorize this key please :
04C7769C7E18DCE0BB741527AF653B8C3F69A29216A71ED3B1EE1C0F16A6C1ECCD6191D8778D7642154A85C4768B78E0DAFE0C2AE60FE061016152590C41B6DF
Tanks people , and sorry for my bad english , im French.
c0r3 - 4 years ago
Its easier to take a stab at it using one encrypted file so that I can check if its a bug in the scripts. PM me an URL and Ill take a look at it
VirusD - 4 years ago
Factoring complete. Please check your PM.
dmnoor - 4 years ago
VirusD I sent you a PM with my .vvv files can you please help me? Thanks a lot for time and your help.
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
dmnoor - 4 years ago
Thank you very much VirusD...
hasamy - 4 years ago
so among you there is some that have GeForce 8000. we can help you to help us. msieve in cuda is a lot faster.
this part takes 98% of all the treatment!
diegolija - 4 years ago
Hi VirusD. Ive sent you a PM with one of my .vvv files. Could you please have a look at it when you have a moment in order to get the key? (I will give a try with teslacrack after this). Many thanks and happy new year!
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
diegolija - 4 years ago
It worked 100%. You are a genius!
jjorge - 4 years ago
Hi, I am other guy with the Tesla of the hell .vvv run free for all my computer.
I have found the AES key but msieve and YAFU doesn t work for me.
2D99FC642504A72374285D92F97B45C1064E2DFEAB1829F8DF2EB429A320A04FD505677C557204F4838E0C4C6268496FDC297C334C7A45C4C83FD89BC7EBEBC4
I am not computer programer...,so can somebody help me and factor my key or explain me how to use factor software YAFU in good working order, for solve it ?
I am wish your appreciated help, guys.
jjorge - 4 years ago
*GOOSE* * YOU ARE THE BEST *,
KEY WORKS PERFECTLY.
OH MY GOOD,.... * THANK YOU SO MUCH *
Saj77 - 4 years ago
Hello all,
I have Same problem .vvv files
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
theniceguy7 - 4 years ago
@Goose I have send you an email (goose@free.fr) with an encrypted file .vvv
Really need your help.
My email : sharanraj....
Thanks for your help
rmxprzemo - 4 years ago
Hi ! Im totally dissapointed with this problem. I tried with Googulator guide but Ive got lot of errors. Can anyone help me with it ? Sorry for my English. https://drive.google.com/open?id=0B9nVW5RgCs1FWWE1ODJvZ19IcUE - encrypted file here
MartinBello - 4 years ago
ALL STEPS
C:\tesla\work>teslacrack.py
Cannot decrypt ./f1bawelna.JPEG.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
0564E9A5908D3334DC915D544840A737B578478D94EC7D3A315E9B682AAD646FF503961F3439958EF01B8F690CB4EDD74BEE86306BDDD79DB69135244E39DDA0 found in ./f1bawelna.JPEG.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
046C1636315B1A7138F426C5EC1BEE8C60E8675347D27A3915BB1110CFF5B61E4B11DF78DD1DBD3A972A5A5B2B87CE60AB5B9F7F5783B2B5702C9269C5ADAD93 found in ./f1bawelna.JPEG.vvv
C:\tesla\work>
C:\tesla\yafu-1.34>yafu-x64.exe factor(0x0564E9A5908D3334DC915D544840A737B578478D94EC7D3A315E9B682AAD646FF503961F3439958EF01B8F690CB4EDD74BEE86306BDDD79DB69135244E39DDA0) -threads 16
fac: factoring 282516662839791782784552758144887563039144265382467040718348332519328791317191462485579813786491232946030746027997704743429912997068788112366876376030624
fac: using pretesting plan: normal
fac: using tune info for qs/gnfs crossover
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C145
rho: x^2 + 2, starting 1000 iterations on C145
rho: x^2 + 2, starting 1000 iterations on C141
rho: x^2 + 1, starting 1000 iterations on C141
pm1: starting B1 = 150K, B2 = gmp-ecm default on C141
ecm: 0/30 curves on C121, B1=2K, B2=gmp-ecm default
ecm: 1/29 curves on C111, B1=2K, B2=gmp-ecm default
ecm: 27/27 curves on C99, B1=2K, B2=gmp-ecm default
ecm: 27/74 curves on C99, B1=11K, B2=gmp-ecm default
ecm: 46/46 curves on C82, B1=11K, B2=gmp-ecm default
ecm: 208/208 curves on C82, B1=50K, B2=gmp-ecm default, ETA: 1 sec
starting SIQS on c82: 7840762748777215607721374731509629005234424336803152085207315332268963084313619931
==== sieving in progress (16 threads): 53984 relations needed ====
==== Press ctrl-c to abort and save state ====
54361 rels found: 22742 full + 31619 from 392821 partial, (5077.02 rels/sec)
SIQS elapsed time = 87.5357 seconds.
fac: factoring 38540728579929176771
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
div: primes less than 10000
fmt: 1000000 iterations
rho: x^2 + 3, starting 1000 iterations on C20
rho: x^2 + 2, starting 1000 iterations on C20
rho: x^2 + 1, starting 1000 iterations on C20
pm1: starting B1 = 150K, B2 = gmp-ecm default on C20
ecm: 1/30 curves on C20, B1=2K, B2=gmp-ecm default
Total factoring time = 0.0721 seconds
Total factoring time = 105.1809 seconds
***factors found***
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 2
P1 = 7
P2 = 11
P2 = 13
P2 = 29
P2 = 53
P5 = 20521
P11 = 42837269113
P12 = 476167898771
P17 = 45365687860734167
P39 = 276184103512052925401823726752955453581
P44 = 28389623620879532597838531740901875998073351
P9 = 205839527
P12 = 187236771973
ans = 1
C:\tesla\yafu-1.34>
C:\tesla\work>unfactor.py f1bawelna.JPEG.vvv 2 2 2 2 2 7 11 13 29 53 20521 42837269113 476167898771 45365687860734167 276184103512052925401823726752955453581 28389623620879532597838531740901875998073351 205839527 187236771973
C:\tesla\work>unfactor-ecdsa.py f1bawelna.JPEG.vvv 2 2 2 2 2 7 11 13 29 53 20521 42837269113 476167898771 45365687860734167 276184103512052925401823726752955453581 28389623620879532597838531740901875998073351 205839527 187236771973
Found AES private key: b\x27\x11\x01\xbd\xe1\x21\x63\x71\x18\x70\x8d\x0c\x91\xf6\xbd\x36\xd2\x05\xed\x70\xfc\x0b\xa3\xdf\x85\x37\x65\x7d\xcf\x1b\xed\x45 (271101BDE121637118708D0C91F6BD36D205ED70FC0BA3DF8537657DCF1BED45)
Edit teslacrack.py, and add your public and private AES keys to the known_keys array.
0564E9A5908D3334DC915D544840A737B578478D94EC7D3A315E9B682AAD646FF503961F3439958EF01B8F690CB4EDD74BEE86306BDDD79DB69135244E39DDA0: b\x27\x11\x01\xbd\xe1\x21\x63\x71\x18\x70\x8d\x0c\x91\xf6\xbd\x36\xd2\x05\xed\x70\xfc\x0b\xa3\xdf\x85\x37\x65\x7d\xcf\x1b\xed\x45,
C:\tesla\work>teslacrack.py
Decrypting ./f1bawelna.JPEG.vvv
C:\tesla\work>
supastylinboi - 4 years ago
This didnt work for me. I used Yafu to factor my public key, but when I used it with unfactor-ecdsa.py (with a PDF file) it complained that I should check my factors
theniceguy7 - 4 years ago
@VirusD I have send you an PM with a link to encrypted file .vvv
Really need your help to decrypt the files.
Thanks for your help
theniceguy7 - 4 years ago
Hi all,
I need help help
link to encrypted file .vvv
https://www.mediafire.com/?j1d0ptttarvh6fd
Thanks for your help
VirusD - 4 years ago
t0m, your file has been decrypted. Please check your PM.
Mikka72 - 4 years ago
Another 5 points go to VirusD for his excellent aid !!!
Thanks a lot dude.
walterman90 - 4 years ago
hello, anyone can help, I have the same problem, encrypted files with extension .vvv
In the Windows registry the virus has left me some information including I think this would be the key:
3ACE177E1D84172F9DF711BD569AE8C5B5C6F7FB681148853E39762AAF4CF8D02640FE389E2127FC0E8E449811C62F86E8D0C7C7A834867D20AF9ED5ED0F7A64
Please I need your help. Thank you.
VirusD - 4 years ago
Please send me a PM with a link to the encrypted file and Ill try to help you.
walterman90 - 4 years ago
Please send me a PM with a link to the encrypted file and Ill try to help you.
ok, I have already sent
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
walterman90 - 4 years ago
I am very grateful for your help, thank you for providing your knowledge, you are a great person.
egartin - 4 years ago
Hello, One of our workstations has several files with the .vvv extension. It is also on one of our server shares. Can someone please help?
I tried following the directions at: https://github.com/Googulator/TeslaCrack
When I get to this step: pip install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1-cp27-none-win_amd64.whl
I get this error, pycrypto-2.6.1-cp27-none-win_amd64.whl is not a supported wheel on this platform.
I tried this command line, pip install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1-cp27-none-win32.whl.asc
I received this error, Cannot unpack file c:\windows\temp\pip-qxmaru-unpack\pycrypto-2.6.1-cp27-none-win32.whl.asc (downloaded from c:\windows\temp\pip-dnsuyb-build, content-type: a
pplication/pgp-signature); cannot detect archive format
Cannot determine archive format of c:\windows\temp\pip-dnsuyb-build
Any help would be greatly appreciated.
jjorge - 4 years ago
Hi, I had the same problem at start, only you need to install modules for the platform needed. Other words, your versión python installed is 32bit, you need uninstall and found python 64bit for those modules.
VirusD - 4 years ago
I used these already compiled binary installation files:
http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win32-py2.7.exe (32-bit)
http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win-amd64-py2.7.exe (64-bit)
Googulator - 4 years ago
If possible, install a 64-bit Python environment. Its possible to use 32-bit, but it will be much slower (AES benefits a lot from 64-bit).
VirusD - 4 years ago
Yes, it would, but for this instance virtually all of the processing isnt done with Python at all. Its done with the factoring tools. I wouldnt worry about the architecture of Python you use.
ITJuggler - 4 years ago
Im trying to follow the instructions from https://github.com/Googulator/TeslaCrack but step 2 stops with the following error:
C:\Python27>easy_install pip
easy_install is not recognized as an internal or external command,
operable program or batch file.
It appears that pip is already included in 2.7.11 and that Python on Windows requires the syntax python -m pip install blahblah.
decryptservices - 4 years ago
Im trying to follow the instructions from https://github.com/Googulator/TeslaCrack but step 2 stops with the following error:
C:\Python27>easy_install pip
easy_install is not recognized as an internal or external command,
operable program or batch file.
It appears that pip is already included in 2.7.11 and that Python on Windows requires the syntax python -m pip install blahblah.
You must include python in PATH environment variable
decryptservices - 4 years ago
You can send me one of your decrypted files for help also.
ITJuggler - 4 years ago
I sent you a PM. Thanks for the offer!
Bukan - 4 years ago
I have 2 computers with .vvv files, using the googulator /teslacrack i could get my factor numbers but using the unfactor.py dont show any keys. Anyone can help me please? maybe I can send a .vvv file to somebody?
Thanks for advance.
VirusD - 4 years ago
Send me a PM with a link to both of those files and Ill take a look at it.
Bukan - 4 years ago
did it, and waiting your reply....thanks
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
decryptservices - 4 years ago
You can send them to me , but i can check them tomorrow morning. Family time tonight.
c0r3 - 4 years ago
We should open a bug tracker or something to assign the workload, Im never sure if someones already working on a key already or not. Im currently doing >30hrs on a key Im not sure has been completed or not due to vague comments :(
VirusD - 4 years ago
True. Ive been handling it by PM dialog. If it is just out in the open, then I would prefer not to process due to possible redundancy. =/
Raphed6301 - 4 years ago
Hi any one please help me this file https://drive.google.com/a/skyfreight.com.ph/file/d/0Bzfu8CBBStGCc2RIRHdfQ0k2SWM/view?usp=sharing.
Any assistance would be greatly appreciated. thank you
VirusD - 4 years ago
Im on it.
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
Arebas - 4 years ago
I have also been hit with this horrific virus and I am so pleased to have found all your messages cause I was feelingso hopeless! May I contact you Goose or VirusD for help too? Ive read all the instructions youve been giving to try and figure this out on my own but I am not really sure of what Id be doing through the process. May I PM either of you? Thank you in advance, youre true computer heroes- or heroines cause one never knows.
hvmotwani - 4 years ago
Hi, I have also been affected with many .vvv files on my Windows 7. One pdf.vvv file is uploaded at http://we.tl/b7o5dmMdCR
Please could someone generate the key decrypter. Using the key, I will give a try with teslacrack to decrypt the remaining .vvv files. Many thanks and happy new year!
c0r3 - 4 years ago
Im on it
c0r3 - 4 years ago
New record: Total factoring time = 2.1450 seconds
I sent you a PM with your key and a custom decrypting script
hvmotwani - 4 years ago
Many many thanks c0r3!!!! With your help I have managed to decrypt my affected files.. Thank you once again and thanks also to the other members who are helping.. Cheers!
airmr - 4 years ago
Hi Guys,
the pc from my mother in law got infected. I tried a few tools like googulators how to but couldnt get the programm running. Grinler, Goose is there any way one of you could help me with that? Thnx in advance
Cheers
c0r3 - 4 years ago
have you sent someone an URL where you share some encrypted files by PM?
egartin - 4 years ago
I have uploaded a couple of files too. I would greatly appreciate the help.
https://drive.google.com/folderview?id=0BzI10P0zh4kPVGk1WjE2ZnhDWWM&usp=sharing
c0r3 - 4 years ago
Im on it
c0r3 - 4 years ago
Youve got a PM with your key and custom decryption script
egartin - 4 years ago
At the end I receive this error:
Software has encountered the following unknown AES keys, please crack them first
using msieve:
144A63E098E73E7B939E76A7D0F863269EA64D212BE56BC003E581A0F5EBD0BA49DFCFD22CBC96AC
86FE7119AD2524C1698250D0B9F71BCD8E8601ACF6899591 found in c:\1\/Desktop/00000006
.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use
them with TeslaDecoder:
0F364329FE9F841573464E645E62A72F42C8561F7F46E67AA66DF6F4100C12CF83C561653509C282
581A7F70F61C25B742E1B3AD0D150748508A0C49490B33E8 found in c:\1\/Desktop/00000006
.pdf.vvv
LaUrAlOl - 4 years ago
Hi cOr3,
I ve uploaded two of my many encrypted files (http://we.tl/20yicP1M2j).
Im a photographer and have lost my last two jobs (at least 500 pics) and Im desperate!
Can you help desencrypting those two and guide me if possible to see if I can recover the others? You re my last hope. Many thanks for anyhting you can do!
c0r3 - 4 years ago
Ill get on it
c0r3 - 4 years ago
Those files are not encrypted by TeslaCrypt 2.2.20 (v8) or v9! Youve got something else on your hands :(
Googulator - 4 years ago
Yup, thats Cryptowall 4.0
LaUrAlOl - 4 years ago
This is the message they sent me:
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem).... etc.
Any help or suggestion? I found it very similar...
c0r3 - 4 years ago
You probably have another (older) version, Ill look into it. Be careful with what you do on your system as you might have the key stored already
ITJuggler - 4 years ago
I have uploaded an encrypted file to https://drive.google.com/open?id=0BzgHnW4U7tqaTzlGVVZ2SFNWaUE. Any assistance would be greatly appreciated.
c0r3 - 4 years ago
I will take a look
ITJuggler - 4 years ago
Thanks!
c0r3 - 4 years ago
Your key is done, Ill send it and a custom script shortly by PM
ITJuggler - 4 years ago
Thank you so much. This is a real life saving service you people are providing. I sent a follow up PM with more info. The provided key is decrypting many files now but cannot decrypt all.
theniceguy7 - 4 years ago
@c0r3, i have sent u a PM
Please help
c0r3 - 4 years ago
Im on it
c0r3 - 4 years ago
theniceguy7: VirusD is already working on your key - youre in good hands :)
theniceguy7 - 4 years ago
ok. Thanks.
@VirusD please help me..
VirusD - 4 years ago
Yup. On it. Im also bringing an additional 5 computers online to help handle the load.
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
LaUrAlOl - 4 years ago
Thanks for the advise c0r3. Let me know if you find anything about this version.
c0r3 - 4 years ago
All I can see is that the files share a common header byte sequence:
99 9a d5 35 aa a6 e0 f9 fe c6 a6 85 f1 8f ac 8f
It might be the real CryptoWall (TeslaCrypt just says it is CryptoWall but is a different kind of cryptovirus). Im not that familiar with it to know what your options are :(
Googulator - 4 years ago
Looks like TeslaCrypt v0.3.7. Use TeslaDecoder to get your key.dat or storage.bin file. It might be able to decrypt based on that alone - if not, use the Save key file option, and PM the result to me.
decryptservices - 4 years ago
@egartin. Decrypted your test files. Check your pm.
c0r3 - 4 years ago
I did his key already :/
decryptservices - 4 years ago
damn. lost time
c0r3 - 4 years ago
I sent you a PM with keys Ive done and what keys Im working on, PM VirusD for his list too. We do need some sort of assignment tracker but I havent had time to search for a good one (Im trying to get the assembler code in ggnfs-lasieve4 to compile).
VirusD - 4 years ago
LoL.
VirusD - 4 years ago
I find it funny that all of these computers Im using to decrypt files feels similar to bitcoin mining. As if it couldnt already be any more closely related to the situation.
decryptservices - 4 years ago
@VIrusD: Did you decrypt ITJuggler key? he sent me a pdf, (skystar something) with pm, and i decrypted it. You need the key?
VirusD - 4 years ago
c0r3 said ITJuggler needed three keys decrypted and that two are on his queue. Im not sure if he started it or not.
decryptservices - 4 years ago
ok. if i can help somehow just pm me. Ill be here for about 2-3 more hours
VirusD - 4 years ago
ITJugglers multi key issue should just be resolved by one person. Ill leave it up to c0r3.
ITJuggler - 4 years ago
I apologize for the duplicate PM, VirusD. I was anxious to see if this solution would work because were running out of time before the criminals say they will delete the private key making the files irretrievable and since we intended to pay the ransom if this effort had been unsuccessful I jumped the gun a bit. I should have sent a follow-up PM to let you know c0r3 had it but I didnt realize that I would cause duplicated effort. Sorry about that.
c0r3 was able to decrypt 1 key but when I ran the customized teslacrack.py it found 2 more keys. I shall endeavor to keep my impatience under control. grin :)
Thank you all for your incredible work on this. I hate that I had to go through this but it has certainly been a learning experience.
ITJuggler - 4 years ago
All our files have been successfully decrypted now. Thanks, everyone for all your hard work and helpfulness. And serious kudos to Googlulator for figuring all this out!!
c0d3, it has been a real pleasure. Thank you so much!!
JKL06 - 4 years ago
Hi all,
I need some help as my files have been infected with the .vvv virus.
Can someone please help?
Many thanks in advance...
VirusD - 4 years ago
PM me a link to a sample file and Ill try to help.
theniceguy7 - 4 years ago
Thanks to @VIrusD
He saved my life by decrypting all my files..
JKL06 - 4 years ago
@VirusD sent you a link Thanks again
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
Intra - 4 years ago
Hi VirusD,
my private key is
0B347DCDFACC7094A7C45C4BCF5F088879B0413CBBFC2D4AFB4804D558BBB59F68BA93FD6E24CC42464C46D9486F8999A691A2A426AA00D915287D66A4BF100E
Would you mind helping me please ?
VirusD - 4 years ago
Factoring complete. Please check your PM.
Elmut - 4 years ago
Hello,
I tried to do it by myself but when I reach the Yafu/msieve step, I got time-out kind of errors... Did it 3 times those days and still not working.
I got my private key : 7EE2C1D846BCE90E84ECF282371AE05A75FB2D3B8A9F3BB267531364AC903FD92F8ECCAE8065DC34D24E697359BC389FC2B2E3D317E9A1EC91907C7B434DAE94
And here is the a pdf file encrypted :
https://drive.google.com/file/d/0B2MS0SG0bXI0T05ibFpIRDMzbHhpWHdvMG9NLS1VX3lUSDBJ
Would you mind helping me please ? I would really need that decrypted key so I can keep decrypting all my files...
Thanks a lot !
decryptservices - 4 years ago
Hello,
I tried to do it by myself but when I reach the Yafu/msieve step, I got time-out kind of errors... Did it 3 times those days and still not working.
I got my private key : 7EE2C1D846BCE90E84ECF282371AE05A75FB2D3B8A9F3BB267531364AC903FD92F8ECCAE8065DC34D24E697359BC389FC2B2E3D317E9A1EC91907C7B434DAE94
And here is the a pdf file encrypted :
https://drive.google.com/file/d/0B2MS0SG0bXI0T05ibFpIRDMzbHhpWHdvMG9NLS1VX3lUSDBJ
Would you mind helping me please ? I would really need that decrypted key so I can keep decrypting all my files...
Thanks a lot !
Start working on your files.
Elmut - 4 years ago
Thanks @decryptservices , I hope you will be more successful than me :D
Arebas - 4 years ago
@VirusD Ive sent you a PM. Hope you can save me or Ive lost my work.
c0r3 - 4 years ago
I sent you a PM with key and script
JKL06 - 4 years ago
Thanks to @Virus D
Life saver
NightbirD - 4 years ago
Hi to everyone!
As many of you i was saved by the crew of decrypters, in my own case the savior was VirusD. I dream of an executable able to run the different steps of the whole decrypting process by a minimum user/admin intervention (the eventual owner of the messed data), so ive started to research all as i can In order to get an approaching to this so hardly possible compilation. I confess; im an honest & ignorant monkey tryin to build a warpspeed-spaceship with bananas...., so please dont expect nothing, at least in a long time... But i need your help to keep on the way, i would like to get from any of you different sort of files crypted for experiment on. If any of you would like to colaborate please send me links by PM to download crypted files, will be a valuable help. If someday i realize something minimally good ill share it inmediatly. Thx in advance, & hugs 4e1.
vilhavekktesla - 4 years ago
Hi, send me a message.
doof1412 - 4 years ago
Hi @Virus I have also sent you a PM in the hope that you could help me, fingers and toes crossed that you can!
hvmotwani - 4 years ago
Many many thanks c0r3!!!! With your help I have managed to decrypt my affected files.. Thank you once again and thanks also to the other members who are helping.. Cheers!
airmr - 4 years ago
Hi c0r3,
i cant write any PMs. It says i dont have the rights to use this function.
Here is a file:
https://drive.google.com/folderview?id=0Bw0aZKwa-oqsQW9PMkVHLUhOM2M&usp=sharing
c0r3 - 4 years ago
Ok, Im on it
airmr - 4 years ago
Great thnx a ton
c0r3 - 4 years ago
airmir: please complete your registration! I have your key and a decryption script
(The member airmr can not use the messaging system)
nabook1 - 4 years ago
Mate the msieve is now running for more than 40 hrs and looks like it will take 100 more hours atleast. May be my computer is slow
sieving in progress (press Ctrl-C to pause)
353 relations (353 full + 0 combined from 24107 partial), need 884096
who can help me ?? maybe more fast computer or fast msieve ...
97FDDF09668CBF8B67C157F7736BE401886F20E8B55E4156683F602D3E1B4FF194590275BEAC59E31C6A2D4299EF0846A09A16021D7AD43D501D3C41D59CF968
airmr - 4 years ago
I have completed it... i cant find any thing in my profile where i can complete anything or any hint that my account isnt registered right....
I will register with a different name and try if i can PM you.
Airmr2nd - 4 years ago
c0r3,
I send a PM to you.
c0r3 - 4 years ago
Sent you a PM with key and script
doof1412 - 4 years ago
Hi @c0r3 I have sent the file to @VirusD already not that long ago, but if you are available to help me I would much appreciate it, I have tried for hours cracking this myself but am coming up short :(
If you or anyone else is available please let me know and I will share the files via a PM.
Thanks
khiriel - 4 years ago
Hy,
i advanced but now i have a probleme with decrypted files :
i have :
Step 4 :
Cannot decrypt ./certificat Kline.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
0B1FA614755A7755605BFD7AFC85456B77372CA980A5C1415415E2C31717B048C7573DAFC3031F4E1DCF0E1F3BFBD28E7FE4C3C926D02EA064FCEAC377A13C64 found in ./certificat Kline.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
399432EB8E27A2BADE689C9A98663A2B05EAB5D591A235177EFAE094BB7D3A0ABE468D4EDEA5289071C64A8A2CFB482A5ABB0A1BC3EA07D98E55223AC1E958BE found in ./certificat Kline.pdf.vvv
Then Step 5 :
recovered 18 nontrivial dependencies
p1 factor: 2
p1 factor: 2
p1 factor: 3
p1 factor: 7
p4 factor: 1999
p4 factor: 8389
p8 factor: 16380521
p10 factor: 2357514541
p10 factor: 4161550049
prp11 factor: 56364749251
prp20 factor: 21343691401616982137
prp32 factor: 18946609916808121132788494770231
prp57 factor: 112905774656103159039672838767567092353873653673806148223
elapsed time 00:53:11
Step 6 :
C:\Python27\Teslacrack>python unfactor.py certificat Kline.pdf.vvv 2 2 3 7 1999 8389 16380521 2357514541 4161550049 56364749251 21343691401616982137 18946609916808121132788494770231 112905774656103159039672838767567092353873653673806148223
Candidate AES private key: b\x26\x2d\x88\x75\x7c\xc2\x47\x26\x64\x97\xc3\xa6\x0c\xf8\x83\x1a\xf0\x4a\x21\x9f\xc3\x76\x78\xfe\x08\x3c\x10\x4d\x7c\xe3\x52\xd2 (262D88757CC247266497C3A60CF8831AF04A219FC37678FE083C104D7CE352D2)
Candidate AES private key: b\x26\x2d\x88\x75\x7c\xc2\x47\x26\x64\x97\xc3\xa6\x0c\xf8\x83\x1a\xf0\x4a\x21\x9f\xc3\x76\x78\xfe\x08\x3c\x10\x4d\x7c\xe3\x52\xd2 (262D88757CC247266497C3A60CF8831AF04A219FC37678FE083C104D7CE352D2)
I modify the teslacrack.py but it cannot to decrypt my files.
If you can help me, im a french user, sorry for my language.
Many Thanks
My vvv files :
https://drive.google.com/folderview?id=0BwrH--OwguaYdVBybWFkUVg5cGs&usp=sharing
c0r3 - 4 years ago
your key is correct and works on your example. I can PM the script I just edited to use your key.
khiriel - 4 years ago
Really thanks, a bad copy of my keys.
Good job, this site and this guys are wonderful !!
supastylinboi - 4 years ago
I have a similar issue to this guy. unpack-ecdsa.py says to check my factors.
I used Yafu >> factor(0xhex_key)
elpigeondindo - 4 years ago
Hi if someone cna help me. i try to decrypt my file but without success.
I put a file here https://drive.google.com/folderview?id=0B_b0A-_R0dLubXUtVTY5TU5Cc28&usp=sharing if someone can give me some help.
if you can give me the key to decrypt the other file.
Thx
VirusD - 4 years ago
@Nir255, Your file has been decrypted. Please check your PM.
Zeglaude - 4 years ago
Hello,
For three days, my computer trying unsuccessfully to find a private key to decrypt my infected files.
If someone has a faster machine than mine, can it help me?
Here is an encrypted file : https://drive.google.com/open?id=0B2675WDbcp7nUTh5MHdsWnNsR1E
A big thank you in advance (and sorry for my english, its not my native language ...)
VirusD - 4 years ago
@bibi32
@idir76
Your files/keys have been decrypted. Please check your PMs.
supastylinboi - 4 years ago
plz help...
I used teslacrack.py
Software has encountered the following unknown AES keys, please crack them first using msieve:
46465A1055C22D75B09961C84D1BBADAF3C9F59B3A1FDEFBD48D807EF473C15EE958703E650D8271DDD8BFE2EF1859D1146B5E3137E781D458BE99A68C271C46 found in [redacted_file_path]
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
B8D1D7C552D7CE2D73C7AA3ACFD2FA61DE29DC22F3758AC31DAD2105A4F28AC594DEBE8C4E7FD11E3454A75FAF497884276C252AC0E4559623D89A6EEACEA234 found in [redacted_file_path]
I used Yafu to factor 0x46465A1055C22D75B09961C84D1BBADAF3C9F59B3A1FDEFBD48D807EF473C15EE958703E650D8271DDD8BFE2EF1859D1146B5E3137E781D458BE99A68C271C46
Got the following primes:
***factors found***
P58 = 1029140231592002527407437053489643265386543621150999949871
P56 = 23758071619396841451988637461328523260452480617691369273
ans = 1
>>
unfactor-ecdsa.py complains that it could not find any keys and to check factors:
python unfactor-ecdsa.py ../[redacted_filename].txt.vvv 23758071619396841451988637461328523260452480617691369273 1029140231592002527407437053489643265386543621150999949871
No keys found, check your factors!
VirusD - 4 years ago
There should be more factors than that. It appears that you paused it and resumed it. So you could fish through your factors.log file for the other factors/primes.
supastylinboi - 4 years ago
tried those too and the same result. Yafu/Wine did pop up an error in the middle of the processing. When I closed it, yafu resumed the factoring (on its own)
12/28/15 18:56:40 v1.34.5 @ REDACTED, prp6 = 209497
12/28/15 18:56:40 v1.34.5 @ REDACTED, prp17 = 17743476602509187
12/28/15 18:56:41 v1.34.5 @ REDACTED, prp15 = 342509682617051 (curve 25 stg1 B1=2000 sigma=96672452 thread=0)
12/29/15 04:51:05 v1.34.5 @ REDACTED, prp58 = 1029140231592002527407437053489643265386543621150999949871
12/29/15 04:51:05 v1.34.5 @ REDACTED, prp56 = 23758071619396841451988637461328523260452480617691369273
VirusD - 4 years ago
Yes, the prp values are correct.
Also look for entries like this:
div: found prime factor = 2
div: found prime factor = 2
div: found prime factor = 11
div: found prime factor = 967
As long as they are part of the same session, you will need all of them.
supastylinboi - 4 years ago
Thanks! that was it. (1907)
VirusD - 4 years ago
@khiriel Your file has been decrypted. Please check your PM.
Intra - 4 years ago
Hi VirusD,
my private key is
0B347DCDFACC7094A7C45C4BCF5F088879B0413CBBFC2D4AFB4804D558BBB59F68BA93FD6E24CC42464C46D9486F8999A691A2A426AA00D915287D66A4BF100E
Would you mind helping me please ?
VirusD - 4 years ago
Im on it.
c0r3 - 4 years ago
The (non-spoken) agreement is not to accept payment for the work done here but I think it might be a good idea to point out that the tools we use we got for free thanks to the work of the Googulator and I think it would be a nice gesture if those who really want to contribute by payment to do so using the donation links at the bottom of Googulators page: https://github.com/googulator/teslacrack
Arebas - 4 years ago
The bitcoin donation link is not working ;)
VirusD - 4 years ago
@doof1412
Your files have been decrypted. Please check your PM.
ravitc - 4 years ago
@VirusD I send you the file pdf but the name is in THAI. I tried the step but could not really figure out where to start
here is the pdf in my dropbox
https://dl.dropboxusercontent.com/u/10579901/%E0%B9%80%E0%B8%AA%E0%B8%B5%E0%B8%A2%E0%B8%A0%E0%B8%B2%E0%B8%A9%E0%B8%B557.pdf.vvv
Please guide me.
thanks
VirusD - 4 years ago
Im working on it now.
ravitc - 4 years ago
Thank you so much...
ravitc - 4 years ago
Any news...? Thanks for your helping.I use windows 7...if you could send me instruction on how to...will be really helpful to people out here..as they dont speak english. I have installed all the related program..so that in future I can run and help them out.but it seem I didnt do this step as I think that is the command in linux ?
python -c import urllib2; print urllib2.urlopen(https://bootstrap.pypa.io/ez_setup.py).read() | python
easy_install pip
pip install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1-cp27-none-win_amd64.whl
pip install ecdsa (optional, needed only for unfactor-ecdsa.py)
Regards
Arebas - 4 years ago
c0r3 just saved my life. THANK YOU THANK YOU THANK YOU. And thank you Googulator for the guide and thank you all guys working on this and helping. You are the most fantastic people!!!!
Bukan - 4 years ago
hello again, I have a second case whit teslacrypt, in this case all file was update but the extention was not change to .vvv, in the folder appears a html file with the name how-recover+ptt.html. Althoug files have the correct extention Eg .xls, Excel cant open it and this message is dispplaying Unrecognized file format. (Hide extensions for known file types is disabled in the computer).
Is it possible to teslacryp can be use in this case (without .vvv extention)
c0r3 - 4 years ago
Might be another version of teslacrypt. Can you share a couple of files with a known type (prefferably PDF) by dropbox/google drive/wetransfer or similar and I will look into it
Bukan - 4 years ago
I sent a pm, thanks!
c0r3 - 4 years ago
Confirmed as TeslaCrypt v9 header but without vvv-suffix. I am currently factoring the key.
VirusD - 4 years ago
Is this a third one? Im working on his second key on file ...2012.xls.vvv and it does have the vvv extension.
deathhunter - 4 years ago
@VirusD Ive tried to get this process to work but on my computer it looks like it will take weeks to do. Can you please help, I have over 100000 files that I now cant access.
Here is a link to a sample JPG file.
https://drive.google.com/open?id=0B1f2c1H_DHigaUR3U09Uam9abW8
Thanks.
VirusD - 4 years ago
Im working on your file now.
VirusD - 4 years ago
This file is fine. It just has the extension in between other extensions.
deathhunter - 4 years ago
@ VirusD Sorry, I linked to the wrong file. Can you try this one;
https://drive.google.com/open?id=0B1f2c1H_DHigcS1HV0pXUlpsV0E
Thanks.
VirusD - 4 years ago
Im working on your file now.
VirusD - 4 years ago
Your file has been decrypted. Please check your PM.
viljemt - 4 years ago
Hi guys
could someone please help me?
unfactor.py doe not give me any output
with unfactor-ecdsa.py I only get Found Bitcoin private key:
Sample encrypted file: http://KrNeki.tk/Download.aspx?File=376_metadata.txt.vvv
Thank you very much!
VirusD - 4 years ago
Im on it.
VirusD - 4 years ago
This file is fine. It just has the extension in between other extensions.
Sorry, I was responding to the incorrect post.
Im working on your files now.
viljemt - 4 years ago
Great.
I dont understand this. How can I help?
This file is fine. It just has the extension in between other extensions.
Here is PDF: http://KrNeki.tk/Download.aspx?File=377_dopolnitve.pdf.vvv
VirusD - 4 years ago
MartinBello - 4 years ago
Run first teslacrack.py
All step here: https://github.com/Googulator/TeslaCrack
VirusD - 4 years ago
The second key is done. Still waiting on the first key to complete.
viljemt - 4 years ago
You guys are incredible good!
Hats off to you all. How can I buy you a beer?
This forum helped me a lot.
I was trying all afternoon and now I have finally made it...for PDF files.
msieve-gpu is very fast.
unfactor-ecdsa.py works great for me. Do I need to change anything for .jpg, .txt., .doc(x), .xls(x), .mdb, .accdb?
If some how can help someone with decrypting the keys, let me know.
emmayemi - 4 years ago
Please how me your own way of doing this. thank you in advance
viljemt - 4 years ago
I try to follow instructions on https://github.com/Googulator/TeslaCrack
I got something working with this:
with teslacrack.py you get using msieve: aabbcc
then run msieve -v -e 0xaabbcc
or msieve152_gpu.exe -v -e 0xaabbcc
...to get factors p1 p2 p3...
with this run unfactor.py c:\file.pdf.vvv p1 p2 p3...
now you get Candidate AES private key: which you input into teslacrack.py
to finish...run edited teslacrack.py again to decrypt your files
viljemt - 4 years ago
can someone provide info, how same command msieve152_gpu.exe -v -e 0x finished in 6 minutes, other time it took many hours?
VirusD - 4 years ago
@Saj77
Second key has been decrypted. Check your PM.
samuelguebo - 4 years ago
Python script provided by Googulator via github works!!!!
The whole process took almost a day but I ended up recovering the AES key and used it for decrypting every file I needed.
See the script over here https://github.com/googulator/teslacrack
emmayemi - 4 years ago
Please kindly share with me how you go about it. i got python installed already
VirusD - 4 years ago
@Valahul
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@houstonhardhead
Your files have been decrypted. Please check your PM.
emmayemi - 4 years ago
Please i need help as in a lay man step-by-step to do the python stuff. Thank you
VirusD - 4 years ago
Check your PM for some basic instructions.
VirusD - 4 years ago
@bppatrao
One of two keys have been decrypted, please run the first script and submit another sample file from the files that remain. Check your PM for more info.
bppatrao - 4 years ago
VirusD
Thank you for your help .... I gained years of life with your help.
VirusD - 4 years ago
@Elmut
Your file has been decrypted. Please check your PM.
Bukan - 4 years ago
Anyone can check my factor with this public key: 2BB71C16CD879A60EC43378F2A1EDF98D2F67BA1033BA0DDB93877BC30F4290AF358333EBDB838E23ED175465F101291A76A519DD9C2D11660285DBC77923750
msieve152 get me incorrect factors
viljemt - 4 years ago
I have tried it. Will let you know what I get.
viljemt - 4 years ago
it still calculates.
VirusD - 4 years ago
@nowa44
Your files have been decrypted. Please check your PM.
nowa44 - 4 years ago
@VisusD
Hugely appreciated VirusD - Ive got it now.
Thank you so much for your selfless helping hand on this board !!!
Molasar - 4 years ago
I have 3 coworkers that got hit by this ransomware.
Their public keys are:
4718D53CFBCB70F37CC374CCC125A34FF8EA3F608A071A29F4F1746ED661F337808980AC7D702B2B690F0D4D8EAA8636D286854F2B99DE000393E7B58FAC9A34
30972A8E0069ACD4C448B6E85B6DEBA1065028F60CD167BAF0637348C722CF18ED92305A74607FABCA2B9A32F9EAAD100BA94EFB94809A6E44BEDB7B5A0E50E4
073BC25119BD82F7D23D8DE9A3834A80BB68CD268D58E9EE4487FE8EAA8F99F14CE8342C852910B57FDCE841F3EC728812480D2F4FBD1E59FC8BEF4B178B06D8
Im MSIEVEing the first one, but as I dont have CUDA it is slow, If some of you have CUDA, please help with these public keys.
Thanks.
Molasar - 4 years ago
Solved Public key 30972A8E0069ACD4C448B6E85B6DEBA1065028F60CD167BAF0637348C722CF18ED92305A74607FABCA2B9A32F9EAAD100BA94EFB94809A6E44BEDB7B5A0E50E
ccbl - 4 years ago
@virusD ive sent you a pm. thank you in advance!
VirusD - 4 years ago
Im on it.
ravitc - 4 years ago
I use windows 7 can anybody share step of how to. I did install all the related program but fail to use below comand...as I think this the command for linux ? or do I have to do in python IDLE.? .but I try it in IDLE under windows 7....and it said SyntaxError:Invalid syntax
python -c import urllib2; print urllib2.urlopen(https://bootstrap.pypa.io/ez_setup.py).read() | python
easy_install pip
pip install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1-cp27-none-win_amd64.whl
pip install ecdsa (optional, needed only for unfactor-ecdsa.py)
vilhavekktesla - 4 years ago
Hi, send me a message if it is not alread solved.
Ingleburt - 4 years ago
Hi guys. Ive got windows 8 infested with .vvv and really havent got a clue how to fix it. I dont have access to a second pc so Im stuck with my phone trying to prevent the virus spreading and crippling the whole system. Can anyone help me?
Ingleburt - 4 years ago
Hi guys. Ive got .vvv infestation and really havent got a clue how to fix it. I dont have access to a second pc so Im stuck with my phone trying to prevent the virus spreading and crippling the whole system. Can anyone help me?
VirusD - 4 years ago
You can try installing Avira antivirus software to get rid of the encryption program. As for the encrypted files, Ill try to help you if youll PM me a link to a sample of an encrypted file.
VirusD - 4 years ago
@Luzju @Bukan
Your files have been decrypted. Please check your PM.
majiks - 4 years ago
virusD sent you a pm a little bit ago, hopefully you have the time to help tonight.
If not I understand and await your help!!!!
VirusD - 4 years ago
Sure. Im on it. I dont know if it will be finished tonight though.
VirusD - 4 years ago
@ravitc
Your file has been decrypted. Please check your PM.
ravitc - 4 years ago
Thank you so much. I did try the step to test out on one folder but it seem not working or I must have made a mistake somewhere. What I did
1.is install the program that was provided
2.copy teslacrack.py on to c:\ drive
3.run cmd as administrator an on c:\ drive
4.type in teslacrack.py d:\withon\others (this is the folder I want to test on)
5.I get this type of error message...please help
https://dl.dropboxusercontent.com/u/10579901/20151230_141117.jpg
VirusD - 4 years ago
Your public AES key is different than the one that was processed. This means that the initial encryption program ran more than once and applied a different key to the remaining non-encrypted files. Jump back on the PM and Ill try to help you process the new key.
Wolfma - 4 years ago
hello,
I need help Im at following result with teslacrypt:
_____________________________________________________________________________________
Cannot decrypt ./Lezione_Polimeri.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
A489ABDD773F291077B6601645880C32D64F3759DB92DFCA76580EAF199C24BF3277038AA6A31B967F22E700564FD9F7964265A35F3895C36841A0AD9A5F4E97 found in ./Lezione_Polimeri.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
2AFE458A9F766DF26384CAC29C6F16AE5F5B99AF09FF870C4993D18B00E126DAF67ABB36AA3C1A8360643F5A4AEB90374F82F336066110EC4F32CF7F7D41CEB8 found in ./Lezione_Polimeri.pdf.vvv
_____________________________________________________________________________________
I tried than yafu:
factor(0xA489ABDD773F291077B6601645880C32D64F3759DB92DFCA76580EAF199C24BF3277038AA6A31B967F22E700564FD9F7964265A35F3895C36841A0AD9A5F4E97)
_____________________________________________________________________________________
After 12 hours it crash!
Im unable to solve
VirusD - 4 years ago
It probably didnt complete the handoff to ggnfs.
Check your yafu.ini config file and correct the path for the ggnfs_dir= entry.
VirusD - 4 years ago
What was the error message of your crash?
VirusD - 4 years ago
@ccbl
Your file has been decrypted. Please check your PM.
loginps - 4 years ago
Hi Virus D, I have sent you a PM with the link to the files. I need your help urgently. Thanks a ton in advance.
ccbl - 4 years ago
you are the best! thank you so much! worked like a charm
eldeibik - 4 years ago
Hi, VirusD!
Can you help me? Thank you so much!
Here is one file .doc with .vvv http://we.tl/YqVbtlyFqW
VirusD - 4 years ago
Im working on your file now.
nowa44 - 4 years ago
Wished to test if it works on few xxx.vvv files first - so I placed my custom made
teslacrack.py at root - c:\teslacrack.py
and placed few xxx.vvv files into test_decrypt folder, also at root - c:\test_decrypt
and then cmd executed:
C:\Users\user1>c:\teslacrack.py c:\test_decrypt
I get this cmd error:
Fatal Python error: Py_Initialize: unable to load the file system codec
LookupError: no codec search functions registered: cant find encoding
I get same cmd error with just cmd execute:
C:\Users\user1>c:\teslacrack.py
Whats wrong?
note: on Win7(x64) so have Python 2.7.11 (x64) and pyCrypto installed,
but also have for other use Python v3.4.3 (x64) installed.
(my custom teslacrack.py was made gracefully by VirusD - big Thanks!)
VirusD - 4 years ago
I would suggest trying to uninstall Python v3 and then performing a repair install on Python v2. It sounds like an extension association issue to me.
nowa44 - 4 years ago
@VirusD
Thank you - looks you maybe correct cause have this issue
re. Python 3.4.3 (x64) uninsatall - I cant.
Showing this note:
There is a problem with this Windows installer package
A program run as part of the setup did not finish as expected.
Contact your support personel . .
(I have run repair of Python 3.4.3, not showing issues, but cant uninstall)
Diefly75 - 4 years ago
Hi VirusD,
could you please give me back the decryption Key for this unknown AES keys :
041EC7BB2D0686461869F746BE2BC40E356406B846B2ED2B6ACCF9DA92AA9E8E1A4AF7517F1494B78BE81443FF222B92F92C7A54B042BD94A067D640DF88E8DF
Note that i get it from a jpg file. Let me know if you really need the encrypted file itself ?
thank you (very much !) in advance VirusD
VirusD - 4 years ago
Im processing your key now.
You could either send me your sample jpg file or I could send you just the factors.
Either way, PM me so I can better track it. Its getting harder to see every single post out here.
ravitc - 4 years ago
@VirusD
i really just want to thank you for helping ..now it work after 2nd try..Thank you so much.....I would like to contribute to help others.All the credit goes to @VirusD.
If you have multi files and folder I recommend this step (This is for windows user)
1.After receiving mail and files and install all the related recovery program
2.create a folder somewhere in C drive or D drive and name it recovery
3.Right click on that folder and create a shortcut on your desktop so that you can double click drag files or folders that you want to recovery to this folder (this is safe as you copy the folder or files to this folder so you still have the original)
4.copy teslacrack.py (the modified one with key) and put it on C:\ drive
5.create a batch file name run.bat
6.put this in a batch file ...here I suppose you put teslacrack.py to c:\
c:
cd\
teslacrack.py d:\recovery
7.d:\recovery---> please change d: to c: or e: depend where you create the folder
I also attach a batch file you can download and use notepad to edit (Create a shortcut of batch file on desktop also...it will be easy)
https://dl.dropboxusercontent.com/u/10579901/run.bat
All the credit goes to @VirusD
Ill be creating a program and post it here to make it more easy to recovery files...a self running program in windows...
VirusD - 4 years ago
Im just helping people. Real credit goes to Googulator and the creators of all the other utilities involved, but thank you. =)
Bukan - 4 years ago
Thanks VirusD!!! you save my life :)
The script works perfetct!!!!
c0r3 - 4 years ago
I just finished factoring the same key ;) Oh well ...
n99coca - 4 years ago
Thanks VirusD again.... you save my life too...
dmnoor - 4 years ago
VirusD, two days ago I have received from you decrypt software, there are many files can be decrypted, but there are some that can not. The following files can not be decrypted and error when decrypt. Can you help me again to check that the file can not be decrypted and gave me software decrypter. Thank you very much. (sorry for my bad English, I am Indonesian).
VirusD - 4 years ago
Sure. PM me the info.
dmnoor - 4 years ago
Ive already PM you, thanks for your attention and help...
VirusD - 4 years ago
@majiks
Your file has been decrypted. Please check your PM.
selcukhun - 4 years ago
@VirusD
I have sent many files to you.
Please help me for decrypting my files.
loginps - 4 years ago
Hi VirusD, I have sent you the files through PM. Please help. Will be grateful
VirusD - 4 years ago
@dmnoor
Your second decryption key has been deciphered. Please check your PM.
primo12 - 4 years ago
Hi. I got same problem, in fact my friend got, what is step by step option to decrypt those files ?
thank u in advance
boroz - 4 years ago
Hi all,
Just wondering if you would be able to help with one odd thing:
I followed the instructions offered on the forum, got to the stage of factor(0xXXXXX with Yafu and.... after working for few hours it crashed on me... Tried again, but it wouldnt start over, keeps crashing right away...
And for some reason I could not post this message in the forums thread...
Can you suggest any other options, perhaps using msieve or anything else?
Needless to say that if I manage to bit this nasty attack I will gladly join you guys helping others and fighting against those xxxyyyzzz....
Thank you in advance!
Cheers.
Boris.
VirusD - 4 years ago
You have to fix the yafu.ini file as it is trying to load ggnfs, but it cannot find the specified directory for it. What has been processed thus far is being stored in the yafu directory.
boroz - 4 years ago
Thanks VirusD, but could you please tell how to fix yafu.ini?
I just reinstalled Yafu and did run it on another computer, crashed again...Just wondering if I am doing something wrong....
VirusD - 4 years ago
PM me the error message.
boroz - 4 years ago
PM me the error message.
I dont get any error message... just the C:\Tesla\yafu-Win32.exe black window closes by itself without any notice... after several hours of work... :(((
gion86 - 4 years ago
Hello eveyone,
my friend PC has been infected with Tesla virus, the newest version, with .vvv files.
I tried to use the wonderful python code provided by Googulator and it works good.
But the Yafu (factorization) step is too hard for my old PC... its taking forever.
Im kindly asking for help to some of the guys on this thread: VirusD, Goose or anyone else
who has the horsepower needed.
Please tell me to whom I should send a PM/mail with one of my encrypted file.
Thank you very very much!
PS Where is the donation link in the Googulator page???
VirusD - 4 years ago
You can PM me. Ill try to help. There is currently a small queue, but I am using multiple computers to process everything I can.
gion86 - 4 years ago
Thank you VirusD,
dont worry for the queue, Ill wait, take your time!!
Gion
Wolfma - 4 years ago
@VirusD in reality yafu reach a point and than simply stop running without any message...after 8 hours more or less
VirusD - 4 years ago
Check your yafu.ini setting for ggnfs directory. It probably needs to be corrected or even downloaded to begin with.
Nickyxeddu - 4 years ago
Hi all.
Can you help me, thanks? :-(
This is my results after teslacrack.py:
C:\Python27\TeslaCrack-master>teslacrack.py
Cannot decrypt ./test.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first
using msieve:
08373787CCA21CE4D6D54DB1C10945A6E4CC445C2C7A19045C98F40F28BB583055BE18A15CC8DD40AFA3C2AE3D0E44553B763096A508CD0E57045959329375CA found in ./test.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use
them with TeslaDecoder:
2ADC6C3344E063D0904FD51C2E3736F5A5C432E99668D49A79F0EE4CBBC904C2D2EC8E7D77C2AF9C
D90A6292AF36F7F6BD8D6FDBA3F6E5C934EC32FEE43866E0 found in ./test.pdf.vvv.
When run unfactor.py with factor number, no such file or directory :-(
The file its in.
Thank you very !
VirusD - 4 years ago
What was the full command you used?
Nickyxeddu - 4 years ago
unfactor.py test.pdf.zzz +p1 p2 p3 p4 etc etc....
but the result its:
Traceback :
file c:\tesla\unfactor.py, line 33, in
main(sys.argv [1:])
file c:\tesla\unfactor.py, line 18, in main
with open(args[0], rb) as f:
I0error: [error 2] No such file or directory: test.pdf.zzz
Send you a PM. Thanks for you help.
DorotaBP - 4 years ago
Dear @VirusD
Ive sent you a PM with a link to one of my .vvv files.
Looking forward for your feedback.
Nickyxeddu - 4 years ago
Diefly75 - 4 years ago
this site could help everyone here .
it reference the precalculated factors .... Perhaps yours are already calculated ?
http://www.factordb.com
VirusD - 4 years ago
@loginps
Your files have been decrypted. Please check your PM.
loginps - 4 years ago
Hi VirusD, Thanks for all your help. I have been able to get all my files back. This has been a really good year end gift for me and an important reason to start the coming year in a positive note.
I really appreciate your help and effort taken by you to support me. Cant thank you enough.
Wish you and family a very happy new year and thank for helping again.
VirusD - 4 years ago
@selcukhun
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@Saj77
Third key decrypted. Please check your PM.
immo - 4 years ago
Hi VirusD, I sent you a link my infect file. Can you please take a loot as well? Thank you
boroz - 4 years ago
Not ready to surrender...
After having Yafu running for over 6 hours and crashed reinstalled it and started again...
Do I understand correctly that with AES key received from Python, Yafu can be run on any computer?
Thank you VirusD for your help, sorry for being more dump than you probably expected I am...
...crossing fingers, if it works this time and I manage to make it to the end - I will join Goose and VirusD helping others....
...if it does not work - I will not have a choice but to join the people waiting for their info to be rescued, because I really dont know what else to do to make Yafu work and stop crushing for no visible reason...
Any suggestions are greatly appreciated!
vilhavekktesla - 4 years ago
Hi, send me a message if you still have an issue
boroz - 4 years ago
No way... It just crashed again..... XXXXXXXXXXXXXXXXXXXXXXXXX!!!!!!!!!!!!!!!!!!!!!!!!!!!!
emmayemi - 4 years ago
@VirusD, pls i need help. i have PM you lots details that might be useful
JKL06 - 4 years ago
@VirusD Could you help me decrypt another key. Thanks
VirusD - 4 years ago
Yeah. Send me a PM.
boroz - 4 years ago
@VirusD, it looks like PM are being sent with some delay...
My Yafu keeps crushing over and over again... The longest time it worked was over 6 hours... :(
I send you the links to few of my encrypted files, if you can help with that - would be fabulous....
Thanks a lot!
Cheers.
kugo - 4 years ago
I must be doing some thing wrong. I can not understand steps to do fully myself. Installed Python with Windows 7 but I can not get by the first step on github link. Does this only work for Linux? Even if someone helps me create a key for me, what do I do with it from there? I can not understand the whole command line programming scheme and have little hope I can translate it to work for me. I have many files needing decryption and would take a while to upload. Please help!
emmayemi - 4 years ago
look at the error of my unfactor.py screen;
Python 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:32:19) [MSC v.1500 32 bit (Intel)] on win32
Type copyright, credits or license() for more information.
>>>
======================= RESTART: C:\unfactor-ecdsa.py =======================
usage: unfactor-ecdsa.py
Traceback (most recent call last):
File C:\unfactor-ecdsa.py, line 28, in
main(sys.argv[1:])
File C:\unfactor-ecdsa.py, line 13, in main
with open(args[0], rb) as f:
IndexError: list index out of range
>>>
gion86 - 4 years ago
This is the correct use of unfactor-ecdsa.py:
usage: unfactor-ecdsa.py
The line 28 and 13 in your message dont correspond to the code in my version of unfactor-ecdsa.py, so you might have the wrong file also..
gion86 - 4 years ago
No sorry, some part got delete when I sent the massege:
This is the command line:
usage: unfactor-ecdsa.py sample file space-separated list of factors
emmayemi - 4 years ago
Please would my Command line look like below or what?
sage: unfactor-ecdsa.py (THE ROLES OF TRADE UNION IN INDUSTRY AND MEMBERSHIP OBLIGATIONS) (Final).doc.vvv 86 2
VirusD - 4 years ago
Yes, but be sure to include file paths as well. Also, because your file has spaces in it, you have to put quotes around it.
unfactor-ecdsa.py c:\files\(THE ROLES OF TRADE UNION IN INDUSTRY AND MEMBERSHIP OBLIGATIONS) (Final).doc.vvv 86 2
MichaelJ2 - 4 years ago
I also have the same problem. many files of my girlfriend are corrupted..
She needs the files for the university.
it is possible to encrypt all files with .vvv on her computer?
pls help.
merochero - 4 years ago
hello cyberspace. i am a supernube ... i too got wacked with this latest teslacrypt deal days ago: vvv... i tried following directions installing python and googlators scripts, ... teslacrpt.py ... but running into nube problems :/
python 2.7.11 and pycrypto installed fine, but i get a syntax error trying to Run python teslacrack.py .
can someone here throw me a bone and help me with the syntax of command? and if someone has nothing better to do but to help schmucks like me and has python environment working with googulators scripts running and would like to hack at some of my files, i uploaded here.
http://www.filedropper.com/pdf_8
http://www.filedropper.com/bluepathwayflierpdf
http://www.filedropper.com/prayerlistrtf
any help would be greatly appreciated
VirusD - 4 years ago
Im working on your case now.
merochero - 4 years ago
VirusD you and all those helping in here are the BOMB.
thank you!
meineMeinung - 4 years ago
@ Goose!
I have the same problem like all the other guys here - how can I send you a vvv-file?
Greetings from Austria!
mM
VirusD - 4 years ago
@gion86
Your files have been decrypted. Please check your PM.
gion86 - 4 years ago
THANK YOU SO MUCH.
Im using the key and is working.
I hope that all my files (29GB).. are encrypted with the same key...
Be careful with the script teslacrack.py that VirusD send you, at least in my case I had:
delete = True
#delete = False
in the code, which will delete the encrypted file immediately.. no matter what you pass on at the command line... its a little bit dangerous I think..
Thank you again guys!!!!!!
meineMeinung - 4 years ago
Hi!
Would you also help me? I´ve 69gb .vvv-files ...
Greetings from Austria!
mM
JKL06 - 4 years ago
Hi @VirusD sent you a PM with files.
VirusD - 4 years ago
@akingsu
Your files have been decrypted. Please check your PM.
inigualablepollo - 4 years ago
Dear, I had an infected computer and would like to recover damaged files. Could you help me? Thank you so much.
VirusD - 4 years ago
Sure. PM me the a link to a sample file via dropbox, wetransfer, or similar and Ill try my best to help you.
inigualablepollo - 4 years ago
Dear, thanks for your reply and help. I pass the link where it went up some of the infected files. No hurry, take your time.
https://www.dropbox.com/sh/eii7ppugjo6bdk1/AAD8d0ZoZwyGbBhqM9aGx3uYa?oref=e
n99coca - 4 years ago
Hi inigualablepollo,
try this
405C6DA161AE46A5E66A7F7B5F748CBE6685627D9E2A422E54BB19AE4F05F7E81D8C73950DBBA5FC52B2686CB1BF5D4B38C748213A10C64CB54390712A2ED9CE: b\x52\x4f\xcf\x57\x12\xa8\x54\xc7\x49\x11\x61\xa0\x15\x9d\xba\x01\xe1\x84\xe0\x19\x6d\x1a\x75\x40\xd1\xfc\x17\xf1\x37\x92\xb5\xb2
inigualablepollo - 4 years ago
Dear,
Thanks to their help I was able to recover all my files.
Total Thanks.
VirusD - 4 years ago
@Nickyxeddu
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@DorotaBP
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@kugo
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@CraigWiggins
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@boroz
Your files have been decrypted. Please check your PM.
emmayemi - 4 years ago
@VirusD i gave you a PM please get back to me. Thank you.
boroz - 4 years ago
VirusD, you are THE HERO!
Thank you enormously!
boroz - 4 years ago
Hi folks,
Thanks to VirusD and other brilliant people who developed the tools, I was able to recover my computer files. I am willing to fight back those bastards. So far I can not get them physically (even though its already being worked on), so for the time being please feel free to send me a personal message with a link (on dropbox or so) to one of your encrypted files (those with .vvv extension) and I will help you to get the decryption code.
Happy New Year to all the decent people in the World!
Cheers.
MichaelJ2 - 4 years ago
Can you help me to get the old files?
:/ there are more than 2 gb files which are important for me.
VirusD - 4 years ago
Sure. Send me a PM with a link to one or two encrypted sample files via dropbox, wetransfer or similar and Ill try to help you.
VirusD - 4 years ago
@empowerT
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@merochero
Your files have been decrypted. Please check your PM.
Ragon78 - 4 years ago
Dear VirusD, can you help me?
boroz - 4 years ago
VirusD probably took some break, it was a long day for him... ;)
If your problem is all your file became unusable and with .vvv extension - I can help you too if you wish.
I will need one of your encrypted files (pdf for example, which became pdf.vvv)
Please upload it to Dropbox or any similar online storage and send me a personal message with a link to this file.
Cheers.
selcukhun - 4 years ago
Many Many thanks @VirusD.
All files decrypting now.
Thanks for your support and instructions
Saj77 - 4 years ago
Hi, Can you help me please
I found this key in the file Dankort_Aftale_Vesterbrogade.pdf.vvv
0E03832C0F858051C27ADA5065EE15C5A038A9C51DC4EB4434C0784DFD20C3737E67315080A67FADA16224AC5C57BEC5B46643CC58778D979F998E62464016E6
and find out my factors
***factors found***
P1 = 2
P3 = 109
P3 = 463
P3 = 593
P8 = 15074219
P9 = 137254919
P24 = 665311333167416759133901
P21 = 429557175159282815353
P37 = 3488510552368854293951147791751876923
P49 = 5944706294693029050577128501338165325081944912147
ans = 1
Then I type
D:\>unfactor.py Dankort_Aftale_Vesterbrogade.pdf.vvv 2 109 463 593 15074219 137254919 665311333167416759133901 429557175159282815353 3488510552368854293951147791751876923 5944706294693029050577128501338165325081944912147
I got this
usage: unfactor.py
Traceback (most recent call last):
File D:\unfactor.py, line 33, in
main(sys.argv[1:])
File D:\unfactor.py, line 18, in main
with open(args[0], rb) as f:
IndexError: list index out of range
D:\>
I dont know how to get the private key for my file.
Thank you in advance
VirusD - 4 years ago
Is your file in the same location as unfactor.py?
If its not, then use: D:\>unfactor.py D:\\Dankort_Aftale_Vesterbrogade.pdf.vvv 2 109 463...
Editing the reply because this posting area doesnt allow for a few symbols.
Remember that if your file path or file name has spaces in it, you must use quotes to force command prompt to treat it as one object other wise the spaces will be rendered as extra parameters.
Saj77 - 4 years ago
I tried but didnt work same error finally writing following command gave me the private key.. thank you so much VirusD you helped me a lot. Really appreciated.
D:\>python unfactor.py Dankort_Aftale_Vesterbrogade.pdf.vvv 2 109 463 593 15074219 137254919 665311333167416759133901 429557175159282815353 3488510552368854293951147791751876923 5944706294693029050577128501338165325081944912147
LSeay - 4 years ago
VirusD or c0r3, I sent you PMs with my AES code that I am having trouble getting decrypted. YAFU keeps crashing on me and I cant get msieve to work for some reason. I have tried multiple versions with no luck. Any help would be appreciated!!
VirusD - 4 years ago
Yup. Im processing it now.
VirusD - 4 years ago
@emmayemi
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@jerome84
Your file has been decrypted. Please check your PM.
GMelo - 4 years ago
I need help to decrypt files that have been cripografados by TeslaCrypt and are now with the extension .vvv
Please , somebody help me !!
VirusD - 4 years ago
@LSeay
@gion86
@MichaelJ2
@pepe100
@Valahul
@dalived
@JKL06
@Wolfma
@immo
@Gwenguillaume
@nabook1
@bppatrao
@bibi32
@Duergar
@daroul
@dadou
Your files are still being processed. Some of these keys have been processing for quite some time and are just monsters. Please be patient. They are actively being deciphered; each on their own machine.
nabook1 - 4 years ago
thanks man ....
dadou - 4 years ago
Thanks a lot!
boroz - 4 years ago
@Zeglaude your file is still being processed.
Will let you know as soon as its ready.
mattchis - 4 years ago
Hello all!
I have some availability to help with decryption. Please PM me if you need help.
kugo - 4 years ago
*****************************************************************************************
Huge thanks to this forum and VirusD and others for helping me decrypt my files. Many Photoshop documents and hours of design work my dumba$% didnt backup. If your like me, after many hours of searching for a solution, I was about to give in and pay the ransom like VirusDs friend did. Thanks to her (submitting the original files) many of us here are able to rest on this new years eve and move on from this BS.
I encourage everyone to pitch in a little and donate something to compensate VirusD and help get something back to this girl too. Im not sure how much she paid to the criminals but I personally just sent VirusD $100 via PayPal which is way less those the jerks wanted. VirusD and all the others helping out need some representation here. They are doing there part so we need to do ours. If we all chip in it will definitely resonate. Peace!
******************************************************************************************
rush1973 - 4 years ago
I too got hit HARD! on our server. All of our share files, data, etc were encrypted. Any help is greatly appreciated...I can pm a link to a couple of .vvv files . Thanks so much
mattchis - 4 years ago
I just PMed you.
VirusD - 4 years ago
Send me or anyone else here that recently offered to help a link to one or two sample encrypted files via dropbox, wetransfer, google drive, or similar service.
rush1973 - 4 years ago
PMs were sent thx!
VirusD - 4 years ago
@Ragon78
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@LSeay
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@rush1973
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@gion86
Your second file set has been decrypted. Please check your PM.
mattchis - 4 years ago
@rush1973
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@nabook1
Your file has FINALLY been decrypted. Please check your PM.
nabook1 - 4 years ago
big big big thanks to VirusD you are the king !!!!!!
And thanks to all members who tried to help me out here, you bunch of good people ....
boroz - 4 years ago
@Zeglaude
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@Wolfma
Both of your file sets have been decrypted. Please check your PM.
Wolfma - 4 years ago
Thank you, its marvellous! Its a perfect Christmas gift, thank you!
VirusD - 4 years ago
@nowa44
Your second file set has been decrypted. Please check your PM.
nowa44 - 4 years ago
Thank you so much - will run to see if it decrypts the rest.
VirusD - 4 years ago
@Bluishday
Your file has been decrypted. Please check your PM.
stafiq - 4 years ago
thank you so much guys.. I manage to recover my files.
worcestermike - 4 years ago
@VirusD. Hi, I sent you a pm with a link to wetransfer containing examples of the dreaded vvv ransomware infecting my machine. Hope you can help but do understand that you may be being overwhelmed with requests.
Thanks for any assistance you or others can offer.
Michael
mattchis - 4 years ago
Sent you a PM. I am available to help.
juanpark - 4 years ago
@Goose and @VirusD
Hello. Thank you for everything you guys are doing here.
VirusD! I sent you a pm with a link. Please help me decrypt the file! Much appreciated!
mattchis - 4 years ago
I am available to help. If interested please PM me the link.
juanpark - 4 years ago
@matthias
Thanks for the offer, but just received the decrypted keys.
VirusD - 4 years ago
@dadou
Your files have been decrypted. Please check your PM.
jerome84 - 4 years ago
really thanks for youre help
good happy new year
VirusD - 4 years ago
@worcestermike
Your files have been decrypted. Please check your PM.
Ingleburt - 4 years ago
@VirusD
Check your PM, mate.
worcestermike - 4 years ago
Hi VirusD. Thank you so much for the time you are giving to help support those of us who have been the subject of this ransomeware. I will try your solution now, but please know I am grateful for all that you have done. Thank you
Defrosa - 4 years ago
I too have been hit by a Teslacrypt virus. How can I send sample files to decrypt and get instructions to decrypt the rest of my files?
I cant figure out how to attach files to my PM.
Thx
denisqua - 4 years ago
VirusD, this new year becomes really happy with your help.
LaUrAlOl - 4 years ago
LaUrAlOl - 1 day ago
Thanks for the advise c0r3. Let me know if you find anything about this version.
c0r3 - 1 day ago
All I can see is that the files share a common header byte sequence:
99 9a d5 35 aa a6 e0 f9 fe c6 a6 85 f1 8f ac 8f
It might be the real CryptoWall (TeslaCrypt just says it is CryptoWall but is a different kind of cryptovirus). Im not that familiar with it to know what your options are :(
Googulator - 1 day ago
Looks like TeslaCrypt v0.3.7. Use TeslaDecoder to get your key.dat or storage.bin file. It might be able to decrypt based on that alone - if not, use the Save key file option, and PM the result to me.
Hey guys, how am I suppose to do that? Ive tried everyhting already, so this is my last option before deleting every file and start all over again. THanks once again.
boroz - 4 years ago
Hi folks,
I have some availability to help getting your files back to normal.
Please PM if interested.
VirusD - 4 years ago
@denisqua
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@golfdyl
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@Ingleburt
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@juanpark
Your files have been decrypted. Please check your PM.
juanpark - 4 years ago
@VirusD
Once again, thank you!
VirusD - 4 years ago
@Duergar
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@jorgennava
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@nowa44
Third file set has been decrypted. Please check your PM.
nowa44 - 4 years ago
Thank You - worked like a charm !
VirusD - 4 years ago
@Raphed6301
Second and third file set have been decrypted. Please check your PM.
VirusD - 4 years ago
@Defrosa
Your files have been decrypted. Please check your PM.
d3rrick79 - 4 years ago
Hi @VirusD
I have sent u a PM on the wetransfer link on 1 of my infected file.
Appreciate you can help to decrypt my files.
Thanks in advance
VirusD - 4 years ago
Im on it.
VirusD - 4 years ago
@GMelo
Your files have been decrypted. Please check your PM.
GMelo - 4 years ago
@VirusD
Thank you!!
seascape - 4 years ago
A close friend has been hit by a TeslaCrypt virus.
I have read and reread this tread attempting to comprehend the instructions for building the decryption key, but, sorry to say, i dont know how.
Please help, if you can.
I have uploaded an encrypted PDF file to wetransfer,
http://bit.ly/22DgYEL
VirusD - 4 years ago
Im processing your file now.
VirusD - 4 years ago
@seascape
Your file has been decrypted. Please check your PM.
czechu - 4 years ago
Hello . Happy New Year to all . Please help in decoding my files vvv
Link to encrypted pdf file
http://we.tl/xLpKnXTQg5
VirusD - 4 years ago
Im working on your file now.
Ragon78 - 4 years ago
Virus D you are an Hero!
leaoat1977 - 4 years ago
Can you help me with Tesla Virus? I have a lot of files .vvv extension.
VirusD - 4 years ago
Im working on what you PMed me.
saravanaa2328 - 4 years ago
Virus D Sir
Please help me..... our office file totally changed in the format of VVV extension.
this is orphan children related files (grant-in-aid and proposals)
VirusD - 4 years ago
Sure. Ill try to help. Please send me a link to one or two sample encrypted files via dropbox, wetransfer, google drive, or similar service. Send it in a PM.
ahmedkhan007 - 4 years ago
same happened with me all files converted to .vvv please any one is here to guide us how to solve that issue we have large amount of data like TB.
help will be appreciated and blessing for new year
VirusD - 4 years ago
I sent you instructions via PM. Please review them.
Duergar - 4 years ago
I just wanted to say THANKS for the effort you all put into helping others :-) The rescuing of my affected files lifted a huge weight of my shoulders (and reminded me to always have a recent backup...)
Sebseb - 4 years ago
VirusD - please help me too. may you send me instructions via PM. how can I enscrypt .vvv file.?? Tnx.
VirusD - 4 years ago
@Sebseb
Please complete the activation of your bleepingcomputer.com account to send and receive PMs.
Saj77 - 4 years ago
VirusD... really a helper... Thank you for helping and solving the problems regarding .vvv files
VirusD - 4 years ago
@czechu
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@Saj77
Your 4th file set has been decrypted. Please check your PM.
viljemt - 4 years ago
Hi everybody.
Does anybody tries to decrypt files with instructions on https://github.com/Googulator/TeslaCrack or just ask for help first VirusD?
VirusD will run out of steam. He was working on new years eve and during holidays. He help me too and I am very grateful to him. But I tried at first to decrypt it myself. He is doing great job and I want only the best for him. Just something to think about.
Maybe instructions at github are too complicated?
VirusD - 4 years ago
True. Im sure I wont be here forever, but perhaps a more automated solution will present itself, maybe other people will join in once the learning curve has been established. Who knows? Ill PM you my set of instructions.
boroz - 4 years ago
You are definitely right, but I must admit that being a bit above than an average computer user I would have NEVER be able to use github instructions without generous help of VirusD whos patience and generosity impressed me enough to change the opinion about humankind...
I have a feeling that github instructions are written for computer programmers....
VirusD - 4 years ago
@jepak
Your factors have been sent to you via PM.
VirusD - 4 years ago
@MichaelJ2
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@dalived
Your two file sets have been decrypted. Please check your PM.
VirusD - 4 years ago
@viljemt
Your three file sets have been decrypted. Please check your PM.
VirusD - 4 years ago
@Gwenguillaume
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@pepe100
Your file has been decrypted. Please check your PM.
boroz - 4 years ago
@Defrosa
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@bppatrao
Your second file set has been decrypted. Please check your PM.
VirusD - 4 years ago
@d3rrick79
@JKL06
@Valahul
@daroul
@immo
Your files are still processing. Just wanted to update you guys/girls.
If anyone has PMed me and you have not heard from me or are not on this list above, please let me know. I dont want to have missed someone.
boroz - 4 years ago
Hi folks,
If the instructions on https://github.com/Googulator/TeslaCrack are too hard for you to get along with - I have some availability to help you to get your encrypted files back to normal.
Please send me PM if interested.
elyogui - 4 years ago
@VirusD
Good night, my English is not very good , but try to explain my problem, I have an infected client 2 machines, one of the machines infected with the virus and infected the shared folder on the server. The encrypted key that is generated in the regedit is only in a machine that I think this virus being seridor .
Annex infected files can support me waiting to decrypt all who were affected folder .
Thank you very much , Greetings from Tijuana, Baja California Mexico
https://drive.google.com/folderview?id=0B-YcF8tu2DITVG5naEhpVmVMeWM&usp=sharing
VirusD - 4 years ago
Im on it.
For any network shares, they will have to be mapped as drive letters or have the script executed at the shared host. Instructions will follow once the a decryption key is found.
elyogui - 4 years ago
Thank you very much, I will be attentive to the answer
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
elyogui - 4 years ago
Thank you very much, now I start my part, ¿if I have any questions, I can write?
VirusD - 4 years ago
Yes, of course.
elyogui - 4 years ago
1 computer decrypted, the daily morning run the application on another computer.
¿Can I learn how to create the application to decrypt?
Thank you very much again
ashir - 4 years ago
hi virusD! im from argentina
I have all my family photos encrypted with vvv extension! Can you help me?
VirusD - 4 years ago
Sure. I will do my best.
PM me a link to one or two sample encrypted files via dropbox, wetransfer, google drive, or a similar service.
ashir - 4 years ago
Hi virusd! please see thjose two links with encripted files!
https://www.dropbox.com/s/quu93a1mggparug/ari_goldwag-am_echad-14__booklet.pdf.vvv?dl=0
https://www.dropbox.com/s/i02roxaxcnhu2ah/IMG_1753.JPG.vvv?dl=0
Please help! all my history is there!
VirusD - 4 years ago
Your files have been decrypted. Please check your PM.
ashir - 4 years ago
you are the best!!!
you are the best!!!
you are the best!!!!!
Now with i can decript all the files? even the ,rar, and others? or only pdf and jpg?
VirusD - 4 years ago
All files that have been encrypted with the same public AES key will be decrypted. It has nothing to do with the file type. If there are files that remain, then it means they did not match the public AES key found in the original sample files submitted. If this is the case, submit one or two sample files just like before in a PM.
ashir - 4 years ago
from now you are my best friend!
Thanks a lot!
My best wishes from Argentina.
What your advice to prevent this kind of issues again?
VirusD - 4 years ago
From the three AV programs Ive tested as of 12/20/2015, Avira Free Antivirus and F-Secure Antivirus successfully protects against this ransomware. Microsofts Windows Defender does not.
VirusD - 4 years ago
@JKL06
Your second file set has been decrypted. Please check your PM.
VirusD - 4 years ago
@saravanaa2328
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@d3rrick79
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@meineMeinung
Your files have been decrypted. Please check your PM.
czechu - 4 years ago
VirusD
Many thanks for your help and I wish you good health in the New Year . All cards of patients recovered.
Are you a super VirusD
JKL06 - 4 years ago
@VirusD
Thankyou again for your great. You are truely super.
boroz - 4 years ago
Hi folks,
I have some availability to help you to get your encrypted files back to normal.
Please send me PM if interested.
DorotaBP - 4 years ago
@VirusD,
BIG THANKS mate for your help!!! All files have been successfully decrypted!!
All the best!
VirusD - 4 years ago
@Valahul
Your second, third, and fourth key sets have been decrypted. Please check our PM.
VirusD - 4 years ago
@MichaelJ2
Your second file set has been decrypted. Please check your PM.
bee4u - 4 years ago
@ MR Goose THX from all of us MAY ALLAH BLESS YOU WITH HAPPINESS AND HEALTHY LIFE !!!!!! you are THE CHAMP LOVE YOU SIR....!!!
VirusD - 4 years ago
@dadou
Your second file set has been processed. Please check your PM.
Charlyximenez - 4 years ago
Mp for VirusD!!!
Thanks firiend from Spain!!!!!!
VirusD - 4 years ago
@Charlyximenez
Your files have been decrypted. Please check your PM.
ovidiu2015 - 4 years ago
Hi VirusD
Please help me and me to decrypt a file, and if you can tell me how can decrypt and other files that you do not want cluttering keeps you so you can help them and others.
http://fastupload.rol.ro/d79f8ff84802de1a69b02a7a72272838.html
Thank you
VirusD - 4 years ago
Your file has been decrypted. Please complete the activation of your account so that I may be able to PM you.
VirusD - 4 years ago
@ruiestevess
Your files have been decrypted. Please check your PM.
ruiestevess - 4 years ago
BIG THANKS mate for your help!!!
All files have been successfully decrypted!!
All the best!
And a Good 2016 !!
GuilleJohn - 4 years ago
hi guys! im from argentina too
I have all my data encrypted with vvv extension!
Im running:
C:\Python27>yafu-x64.exe factor(0x 217815E1AFACFA39E122258A92C66D16807419120E9DE
A6E54A103D5FE6CBDC2F8C1B6CA039FF314ECCB9528BE2385D080FDC2F1D24686A8DBC3354926C3342C)
and i obtained
no switch detected
Any could help me?
Thanks in advance
VirusD - 4 years ago
There is a space between the ...(0x and the 217.... Remove it.
VirusD - 4 years ago
Im not sure, but there may also be a space in ...E9DE and A6E5.... Either that or it is just being split here on the forum.
boroz - 4 years ago
Hello all,
If the instructions on https://github.com/Googulator/TeslaCrack are not helpful for you - I have some availability to help you getting your vvv affected files back to normal.
Please contact via PM.
VirusD - 4 years ago
@Loudscouse
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@ovidiu2015
Your files have been decrypted. Please check your PM.
linjun85 - 4 years ago
@VirusD How to Fix that Problem?
Python 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:32:19) [MSC v.1500 32 bit (Intel)] on win32
Type copyright, credits or license() for more information.
>>>
RESTART: C:\Users\linjun.BESTSELLER\Desktop\TeslaCrack Master\teslacrack.py
Cannot decrypt ./annual vacation record.xlsx.vvv, unknown key
Cannot decrypt ./Holiday file.xlsx.vvv, unknown key
Cannot decrypt ./日坛宾馆合同.pdf.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
414BF39AA510496DC9FD01C6D11715BD012385B1CBF30284E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D3 found in ./annual vacation record.xlsx.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
C704B10AF9DD4908A52DBB6F35B6795B500F3B51B66B3EB5FD23D6672CD5CCCB923B5990B8001820146DB31BE4E7B2C939B5B1F53E479E5D9F0B7C2A0CAF2BB8 found in ./annual vacation record.xlsx.vvv
>>> unfactor-ecdsa 414BF39AA510496DC9FD01C6D11715BD012385B1CBF30284E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D3
SyntaxError: invalid syntax
>>> unfactor-bitcoin 414BF39AA510496DC9FD01C6D11715BD012385B1CBF30284E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D3
SyntaxError: invalid syntax
>>>
c:\yafu-1.34>yafu-x64.exe
01/04/16 15:21:48 v1.34.5 @ BEJ-PC-517, System/Build Info:
Using GMP-ECM 6.3, Powered by GMP 5.1.1
detected Dual-Core AMD Opteron(tm) Processor 1220
detected L1 = 65536 bytes, L2 = 1048576 bytes, CL = 64 bytes
measured cpu frequency ~= 2761.807200
using 20 random witnesses for Rabin-Miller PRP checks
===============================================================
======= Welcome to YAFU (Yet Another Factoring Utility) =======
======= bbuhrow@gmail.com =======
======= Type help at any time, or quit to quit =======
===============================================================
cached 78498 primes. pmax = 999983
>> factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF30284E9E01CE31DE29FCB329D8D
FAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D3) -threads 16
unrecognized token: threads16
>>
VirusD - 4 years ago
I would suggest using Windows Command Prompt for everything and forgoing Python shell.
Your commands are valid, but your AES key is a hex value, not a decimal.
Use command yafu-x64.exe factor(0x) -threads <#>
You can also change the number of threads by altering the yafu.ini file as appropriate.
linjun85 - 4 years ago
@ VirusD Seems It is difficulty to me. Please Help. Many thanks
c:\yafu-1.34>yafu-x64.exe factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF3028
4E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D
3) -threads (16)
expected numeric input for option threads
c:\yafu-1.34>yafu-x64.exe factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF3028
4E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D
3) -threads (#)
expected numeric input for option threads
c:\yafu-1.34>yafu-x64.exe factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF3028
4E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D
3) -threads(#)
invalid option -threads(#)
c:\yafu-1.34>yafu-x64.exe factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF3028
4E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D
3) -threads(16)
invalid option -threads(16)
c:\yafu-1.34>yafu-x64.exe factor(414BF39AA510496DC9FD01C6D11715BD012385B1CBF3028
4E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D
3) -threads(#)
invalid option -threads(#)
c:\yafu-1.34>
VirusD - 4 years ago
yafu-x64.exe factor(0x414BF39AA510496DC9FD01C6D11715BD012385B1CBF30284E9E01CE31DE29FCB329D8DFAD9352FD339D8C4217C6A9D499175A77A8F74F8A827DD04B0234E21D3) -threads 16
ravitc - 4 years ago
VirusD I test with few files and confirm it was working but during holidays I tested..mostly not working...I have send files that I got from you and also the working and not working file to show you...
Thanks you again
https://dl.dropboxusercontent.com/u/10579901/files%20to%20check.zip
VirusD - 4 years ago
@ravitc
Your second file set has been processed. Please check your PM.
ovidiu2015 - 4 years ago
Hi ViruD
thank you for the effort made to help me.
to have a wonderful new year
only good and everything you want!
bibi32 - 4 years ago
Hi ViruD I have 2 key to factorize and I want know if the key I gave you is always factorizing ??
166D0E2BC225EC45722FD98302DB4A0A5BB95E0AA659A4E7948C9CDA088B303348234209D899B6C780F0FBAD596B809037937C75AEE3B7F2C40988491EA4112E
051E6346750DCC6D6F34F2C9ED58AC3B4213A361294AF8C3A2C32917CBCCCE7787785E8AC22D8333021D1C9767AC39D0805AC156D194CF0E14947A44AA823550
Thanks.
VirusD - 4 years ago
Im processing those two now. One will be completed shortly.
The other one might take a day or two judging by how it looks thus far.
VirusD - 4 years ago
I sent one via PM. The other is going to take a nice amount of time.
Ingleburt - 4 years ago
Hello everyone. What do you guys think of the Avira Anti Virus software. Ive installed it but I dont think its removed the Ransomeware responsible for my .vvv infestation, and its not helping with a weird internet traffic hijack on my computer, so not very good in my opinion. Does anyone else have any experience with it?
VirusD - 4 years ago
Upon completion of encryption, the ransomware deletes itself leaving only the ecrypted files behind.
claudiosf - 4 years ago
Virus D S
Please help me..... my pc´s file totally changed in the format of VVV extension.
https://drive.google.com/file/d/0B1XmbowKs6MaS1VQRmd6ZWt3ckk/view?usp=sharing
thank you very much
VirusD - 4 years ago
Im processing it now.
claudiosf - 4 years ago
thank you very much
vicmanmon - 4 years ago
Hello Virus D,
I sent you a PM, thanks.
munozbasols - 4 years ago
Virus D could you help me?
Hi I tried for my infection your method but not works por pdf files.
Maybe im doing something wrong.
My file:
https://drive.google.com/open?id=0Bw...Td1dlRHVlVaUFk
1ºDone:
Run: python teslacrack.py .
10ACCB6406EB1FE0D93DCC2C5BBDACD8710A04DEB15520EEF1D4CFEDC2DFCA3895943154618918FE62DA23B722D5809C7AE170584FA8BE30267C1FAF516A5D40
found in ./PRENSA2.pdf.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use
them with TeslaDecoder:
5A418C2F6DD510539255FDDFF6EA230CCBA15B0D044B400BFEBE9DE5B1D663F645BF81EEAFC8A51936947065D4DAACFB5EA0B7BC1B5ED6B17002C95DF69121A1
found in ./PRENSA2.pdfvvv
converto to decimal
Now factorizing....
2 2 2 2 2 2 3 5 5 5 29 59 103 151 2081 2039603 32217360122481615502589045613479955474752095446678609241111273219104696661995602407892730
Once factorized it run ecdsa
Run python unfactor-ecdsa.py
And shows no aes encryption key found :(
Im doing something wrong?
VirusD - 4 years ago
I sent you a PM. Please check it.
VirusD - 4 years ago
@vicmanmon
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@saravanaa2328
Your second file set has been decrypted. Please check your PM.
claudiosf - 4 years ago
Virus D
Don´t forget me
claudiosf - 4 years ago
Virus D
Don´t forget me
VirusD - 4 years ago
I have not.
Your key is still being processed. Some keys finish processing in a few seconds while others can take a week. Most are no more than a few hours. I process what I can in the order I receive them, but they don't finish in the order received. Please be patient.
claudiosf - 4 years ago
I understand , thank you very much for your help
VirusD - 4 years ago
@claudiosf
Your file has been decrypted. Please check your PM.
claudiosf - 4 years ago
thanks you very much.
I could decrypt some files , now proves others files at home.
You are the best
VirusD - 4 years ago
@Saj77
Your fifth file set has been decrypted. Please check your PM.
VirusD - 4 years ago
@GuilleJohn
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@munozbasols
Your file has been decrypted. Please check your PM.
hpoyarzunm - 4 years ago
VirusD
Dear, good day, you could help me with the virus and decryption, it is much appreciate, I have microsoft office files encrypted with a .vvv extencion ransonware RSA-4096, calling for rescue.
VirusD - 4 years ago
Sure. Send me a link to one or two sample encrypted files via PM.
ravitc - 4 years ago
@VirusD send the program. ..please test...any suggestion let me know...
thanks...for your great help
BIGSanja - 4 years ago
Hello Virus D,
I sent you a PM, thanks.
VirusD - 4 years ago
@MichaelJ2
Your third file set with 3 AES keys has been decrypted. Please check your PM.
MichaelJ2 - 4 years ago
VirusD,
you have done a great job = D thank you very much.
All the hours you spend in all the people which have so many problem with this virus.
great job dude =)
thanks, thanks, thanks,
I wish you a great year and so much luck.
=) lifesaver
VirusD - 4 years ago
@Phranque
Your file has been decrypted. Please check your PM.
TouMoua - 4 years ago
Hi @VirusD, Something is wrong
fac: factoring 4868996127864428961506640739241829039192608443671166902618191331989571323573623279021549186575365530452790856212466799880941313494884671317634987484790625
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
nfs: checking for data file
nfs: commencing nfs on c118: 5651835859538041960479224118426904430040014472572144221037682524216984036328809270741793791809588075184369061609088673
nfs: continuing with sieving - could not determine last special q; using default startq
nfs: commencing rational side lattice sieving over range: 2550000 - 2590000
Special q lower bound 2550000 below FB bound 5.1e+006
nfs: could not open output file, possibly bad path to siever
fopen error: No such file or directory
could not open rels0.dat for reading
mattchis - 4 years ago
If you are using yafu make sure you edit the yafu.ini file and change the ggnfd_dir to be the absolute directory to the ggnfs. The you rerun yafu make sure you use option -R to resume where you left off.
TouMoua - 4 years ago
Thank you mattchis
mattchis - 4 years ago
Your Welcome! Let me know if you need any assistance
buicked - 4 years ago
Hello Mattchis, may you can help me. I've factorized AES key provided with these results
***factors found***
P2 = 11
P2 = 13
P4 = 1889
P4 = 2011
P7 = 2066161
P17 = 43139947558645811
P18 = 103218795670404923
P26 = 77130963109290819523624237
P35 = 12058197426925847593065276705097799
P46 = 1570809930014977448250207859770840762533273683
ans = 1
WHen i try to run unfactor.py, i get no AES public KEY, and these error.
C:\Program Files (x86)\Python>python unfactor.py pdfPMI.pdf.vvv 11 13 1889 2011
2066161 43139947558645811 103218795670404923 77130963109290819523624237 12058197
426925847593065276705097799 1570809930014977448250207859770840762533273683
Candidate AES private key: b'\xd4\x3d\xe9\x65\xa0\x42\xd6\x1b\x64\xb8\xe0\x02\xd
6\x01\xef\x32\xe3\xdf\x3b\xaa\x1f\x6f\x60\x1e\xbd\x7d\xe9\x8d\x62\xd8\xc6\x59' (
D43DE965A042D61B64B8E002D601EF32E3DF3BAA1F6F601EBD7DE98D62D8C659)
Traceback (most recent call last):
File "unfactor.py", line 34, in
Status
NameError: name 'Status' is not defined
Can you help me with this? Thanks in advance
ezeiniguez - 4 years ago
Hi @VirusD , I have sent you a PM. Can you help me?
Thanks in advance.
VirusD - 4 years ago
Sure thing. I'll handle it in the PM.
Lawrence Abrams - 4 years ago
Just a heads up to everyone. I will be creating a dedicated topic in the forums for these requests tomorrow. The job everyone is doing here is truly amazing and I appreciate all the help from those who are helping. You have truly embraced the spirit of BleepingComputer! The problem is that the comment system is not robust enough for this many comments, while the forums can handle it much better.
When I close down comments tomorrow, I will update the first post to include the new forum topic where people can ask for requests. Stay tuned!
NightbirD - 4 years ago
Great. Will everyone receive the new link you'll create? Thx in advance.
Lawrence Abrams - 4 years ago
I will make sure to post it as a comment and in the original story.
NightbirD - 4 years ago
Thx Grinler. Coogulator, VirusD, Goose, & other genius here have been wrote an impressive precedent. I dream of a great battlefront against cyber criminals, far beyond help the community.
VirusD - 4 years ago
Sounds good. Keeping track is difficult especially on the mailbox limitation and workload balancing.
VirusD - 4 years ago
@BIGSanja
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@ogulin
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@munozbasols
Your second file set has been decrypted. Please check your PM.
Hansdampf - 4 years ago
Need help with the encrytion. Cant write PM.
VirusD - 4 years ago
Completed the activation of your account to enable PMs.
engilo66 - 4 years ago
After 4 days and 4 nights yafu requires 80 hours to finish, help me
1CF27653599EDE8655F4F12B8DC2C736F48ACA14289DD0E69B7900266C220E0016CF8E558359F59ECAEA2ABDAA8A5DBECDCEDB6B78D92B267A077A5659F5F5E4
***factors found***
P1 = 2
P1 = 2
P1 = 5
P1 = 7
P1 = 7
P2 = 23
P2 = 53
P3 = 977
***co-factor***
C145 = 1298969043230357653523935645804272479640736370113507793094405826803271219
265322519622225738788917051143869205427348206888368463146210899344257847
VirusD - 4 years ago
It looks like your factoring process didn't complete. If you're willing, PM me a link to your file and I will try to decrypt it for you.
Almarma - 4 years ago
I come here after a success unencrypting a computer infected with Teslacrypt!!! It has been a fantastic feeling!!! I would like to point out, for those out there not programmers, who are trying to do it theirselves (it's very rewarding!!!):
1.- Follow the instructions here: https://github.com/Googulator/TeslaCrack/tree/9eb31d84f59d8689de9706e41e32db7bf3225b3d
2.- Try Yafu first, as it's much much faster than Msiege. If it fails, then try Msiege. To make Yafu work:
2.1.- Download it from here: http://sourceforge.net/projects/yafu/ and unzip it on C:\yafu\
2.2.- Download GGNFS from here: http://gilchrist.ca/jeff/factoring/index.html Nobody said about it, but it's a library needed by YAFU to work
2.3.- IMPORTANT: unzip the GGNFS files you downloaded to C:\ggnfs-bin\ so all the files from the zip are contained into that folder.
2.4.- IMPORTANT: go inside C:\yafu\ folder and edit yafu.ini file. From the text contained, remove the lines with this text:
%ggnfs_dir=..\ggnfs-bin\Win32\
%ecm_path=..\gmp-ecm\bin\x64\Release\ecm.exe
%ecm_path=../ecm/current/ecm
And also edit the following line: ggnfs_dir=../ggnfs-bin/
Replace the / with \, so at the end your yafu.ini file looks like this:
B1pm1=100000
B1pp1=20000
B1ecm=11000
rhomax=1000
threads=4
pretest_ratio=0.25
ggnfs_dir=..\ggnfs-bin\
tune_info= Intel(R) Xeon(R) CPU E5-4650 0 @ 2.70GHz,LINUX64,1.73786e-05,0.200412,0.400046,0.0987873,98.8355,2699.98
(NOTE the number of threads of your CPU. Mine has 4, but change it accordingly to yours).
Then, after editing and saving the changes inside yafu.ini, it will work perfectly!!!!
3.- Continue the TeslaCrack instructions. To use yafu instead of the other, type the command:
yafu-x64.exe factor(PUBLICKEY)
Of course, just replace the PUBLICKEY with your key, and don't forget the () on both sides of it ;)
THANK YOU PEOPLE, and happy New Year BTW ;)
hpoyarzunm - 4 years ago
VirusD
Dear, sending files encrypted link, thanks
https://drive.google.com/file/d/0B32fJ0BwusQ3ZlJ5WWdpNVpsNDQ/view?usp=sharing
VirusD - 4 years ago
I'm working on your files now.
VirusD - 4 years ago
@bepak
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@immo
Your file has FINALLY been decrypted. Please check your PM.
Zublov - 4 years ago
Dear VirusD thanks for your help.
Please my archive:
https://goo.gl/Kdx6RP
Thanks.
VirusD - 4 years ago
I'm working on your files now.
VirusD - 4 years ago
@hpoyarzunm
Your files have been decrypted. Please check your PM.
VirusD - 4 years ago
@Bausch
Your file has been decrypted. Please check your PM.
VirusD - 4 years ago
@Zublov
Your files have been decrypted. Please check your PM.
ilNebbioso - 4 years ago
Dear @VirusD (and all others, too!), first of all happy new year.
I followed the istructions posted on Github by Googulator, but I'm finding some problems on a W7 PC infected about on 15th Dec 2015. I'm using a W10 box with Python x64 2.7.11.
I successfully arrived to step 7 (step 6 skipped thanks to FactorDB website), installing and configuring all that was needed, but I receive a "No keys found, check your factors!".
So resuming: at point 4 I received the following HEXs:
- 1304652524FE3B8F313B60E8C5C847FA6A1599C94FA219E542216B50A132165336BD37BD014973CBE3EEC0BB4F48329CA8CD08CB3F440B84D7BE38D88C7889B2
- 2BEB226A835BAAFDAE427EE80AFABF9F47CCDCD09891A20E754C13236DBC373FD05D38E9A77979A369F3DAA88E62857DEEFAA346247D51D3D0DFAECD38E50538
As described, I converted the FIRST one from HEX to DEC using this tool: http://www.mathsisfun.com/binary-decimal-hexadecimal-converter.html
which gave me back the following DEC:
996009924338720530145756865497382675884354613492891202789131313982789773824510899026680945299915668342773916950528718767406963327576498418964693020871090
Then I moved to point 5 converting the DEC to factors, using:
http://factordb.com/index.php?query=996009924338720530145756865497382675884354613492891202789131313982789773824510899026680945299915668342773916950528718767406963327576498418964693020871090
I received back this primary numbers: 2 3 5 37 41 653 72467 25658767 30511905569 196914182562206136172582843969315965847041879748073026226801633473608704136378152217089259009782673140862970551351947302361
So I skipped point 6 and moved to 7, from an Administrator command prompt in Windows:
python unfactor-ecdsa.py "1.pdf.vvv" 2 3 5 37 41 653 72467 25658767 30511905569 196914182562206136172582843969315965847041879748073026226801633473608704136378152217089259009782673140862970551351947302361
I used "unfactor-ecdsa.py" because "unfactor.py" didn't gave me any result, just immediately come back to command prompt.
As I wrote you before, unfortunally I received a "No keys found, check your factors!" error. And, I cannot find anywhere on my box a factors.log file.
What's wrong?
Thank you so much to all can help. But also to the others! ;P;P;P
ps you can find some crypted files here: http://ge.tt/6DrGQHV2/v/0?c
**** SOLVED ****
1) I didn't understand well "3^2", which means a double as primaries: "2 3 3 5 37 41 653....."
2) the FactorDB website gave me a wrong (?) result. In fact, I used Yafu who gave me different values (I submitted to FactorDB the results too):
P1 = 2
P1 = 3
P1 = 3
P1 = 5
P2 = 37
P2 = 41
P3 = 653
P5 = 72467
P8 = 25658767
P11 = 30511905569
P15 = 810862734901963
P33 = 252958547807999849247493892787533
P41 = 12158223274173257560593441913151380805873
P35 = 78960552982798604681300308592094983
So, files decrypted! Thank you so much to everybody who made this hard job for all of us!!!!
Lawrence Abrams - 4 years ago
The comments for this article have now been disabled. To receive help with decrypting your files, please use this topic instead:
https://www.bleepingcomputer.com/forums/t/601379/teslacrypt-vvv-ccc-etc-files-decryption-support-requests/
Lawrence Abrams - 4 years ago
TeslaCrypt has closed its doors and released the master decrypt key. BloodDolly has already updated his tool so it can now decrypt all files encrypted by TeslaCrypt 3.0 and 4.x. More info here:
https://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/