Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.


*

never

  • *****
  • 119
  • +23/-0
  • Network Administrator and Malware Researcher
      • View Profile
  • Publish
  • Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « on: December 03, 2015, 03:17:42 pm »
    Attacks have reportedly increased by the eight version of TeslaCrypt. The ransomware itself has been reported to encrypt files with the questionable .vvv extension as well as others. Some people believe that the encrypted files are coded by a powerful RSA-2048 encryption algorhitm, howerver it is not known exactly how many and what algorhitms have been used as well as their strength. What is even worse is that the newest 8th variant of TeslaCrypt is so complicated that there is alsmost no way of decrypting the data in full.

    We advise users to monitor Cisco, Kaspersky and other big names focused partially on malware research since they have released successful decryptors for the previous versions of TeslaCrypt.

    Important:  Otherwise users can try the old decryptors, but bear in mind that the chance is extremely low, because every version uses different combination of file-encryption techniques and this one may have significantly improved its weak spots. However, on the other side in case there are situations where files may have been encrypted with less powerfull algorhitms(by different variants) there may be little or no chance for users to decrypt some of their files.



    Before trying the decryptors, make sure you save a copy of the encrypted files on a USB stick or any other external device and then make sure you have removed this malware completely or try decrypting them from a safe PC. In case you are using the file recovery tools, make sure you are offline, just in case.

    Here is a web link on how to remove this malware, before decrypting your data(It is Windows 10 based but the same principle applies for other Windows versions as well):

    http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/

    Here are the decryptors:

    The TeslaDecoder by BloodDolly

    TeslaDecoder by BloodDolly - http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0
    Latest Changelog for TeslaDecoder here - http://download.bleepingcomputer.com/BloodDolly/changelog.txt

    The Talos TeslaCrypt Decryption Tool
    Talos TeslaCrypt Decryption Tool by Cisco - https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows
    Also, here are the command lines for the Talos TeslaCrypt Decryption Tool:

        /help – Show the help message
        /key – Manually specify the master key for the decryption (32 bytes/64 digits)
        /keyfile – Specify the path of the “key.dat” file used to recover the master key.
        /file – Decrypt an encrypted file
        /dir – Decrypt all the “.ecc” files in the target directory and its subdirs
        /scanEntirePc – Decrypt “.ecc” files on the entire computer
        /KeepOriginal – Keep the original file(s) in the encryption process
        /deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (note that the tool is also capable of killing its processes in case its active)


    EaseUS Data Recovery Wizard Free

    Here is a free program which uses different methods to search through your computer and recover files that are even deleted beyond all saving. It is no guarantee that it will work, but some say they have recovered at least 10 percent of their files and some other files were partially broken. So in case you want to try it out, here is the download link for the tool:

    http://www.easeus.com/datarecoverywizard/free-data-recovery-software.htm

    Shadow Explorer

    You may as well try running Shadow Explorer in case you have File History or backup enabled. You can download it from here, but note that TeslaCrypt may as well have malicious scripts that delete any backups and previous file versions. Here is the download link for Shadow Explorer:

    http://www.shadowexplorer.com/downloads.html

    Look for the latest version and you may as well download the portable one since it saves you time.

    This is as far as I can suggest, try it and reply whether or not you have been successful. Again, there is absolutely no guarantee that any of the methods are working, but we are talking about encrypted files here, after all so it may be worth the try.

    We urge users to let us know whether or not you have suceeded so that you assist us and other users by raising awareness of the weakspots of this malware.

    Best Regards,

    Never





    « Last Edit: December 04, 2015, 10:49:52 am by never »
    Guilty is the love of The Sin.

    *

    Statharas

    • *
    • 1
    • +0/-0
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #1 on: December 05, 2015, 09:00:43 pm »
    Would like to mention how it kept running a process to clear shadow volumes on my mother's computer.

    Which ****'d up my NAS.

    The key.dat is located in the registry this time.

    *

    never

    • *****
    • 119
    • +23/-0
    • Network Administrator and Malware Researcher
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #2 on: December 07, 2015, 09:05:19 am »
    Hello,

    How many did you lose (In GB) ? And did you lose them completely or are they solely encrypted ?

    Br,
    Never
    Guilty is the love of The Sin.

    *

    Execute

    • *****
    • 203
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #3 on: December 07, 2015, 09:50:17 am »
    Would like to mention how it kept running a process to clear shadow volumes on my mother's computer.

    Which ****'d up my NAS.

    The key.dat is located in the registry this time.

    Do you have access to the "key.dat" file? If it's in the Windows Registry - can you see any information about it? Any "values" in the registry entries?

    Also, if there is a registry entry, there should be a file with the same name somewhere. Usually registry files are kept in C:\Windows directory (or where the OS is installed). The bad thing is, that the file might be stored somewhere over the internet with this variant.

    If you do find it on the disk of the PC, you should scan it with a security program first. You never know if there is some malware along with .dat files. Then, you should check if you can open the file with Notepad and see if the first line inside can give us more information about it.

    Write back with any info.
    There is no place like 127.0.0.1

    *

    Execute

    • *****
    • 203
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #4 on: January 07, 2016, 11:51:23 am »
    We tried around 10 different decryptors, but only 1 of them tried to run and restore some files - Kaspersky's Rakhni Decryptor.

    Alas, no matter the type of file, be it a picture or some kind of document,
    Kaspersky's Rakhni Decryptor failed to decrypt any, even after 8 days of trying:



    We are currently testing out another method, that hopefully yields better results.

    Best Regards,
    Execute
    There is no place like 127.0.0.1


    *

    nkurunziza

    • *
    • 1
    • +0/-0
        • View Profile
  • Publish
  • dercryed document with vvv extention
    « Reply #6 on: July 15, 2016, 11:05:23 am »
    dercryed document with vvv extention

    Edit by sensadmin: I moved your post here, in a relative discussion.
    « Last Edit: July 15, 2016, 11:16:07 am by sensadmin »

    *

    Execute

    • *****
    • 203
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: dercryed document with vvv extention
    « Reply #7 on: July 15, 2016, 11:34:01 am »
    dercryed document with vvv extention

    Hello, @nkurunziza,

    what did you meant by that? You have a decrypted .vvv file, or you want such a file to be decrypted?

    And did you know that there is already a Decryption Key for TeslaCrypt, released by the ransomware makers themselves?

    You can read the article about the defeat of TeslaCrypt for more information.

    Write here if you got any questions.

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    Carlosacroi

    • *
    • 2
    • +0/-0
        • View Profile
  • Publish
  • Re: dercryed document with vvv extention
    « Reply #8 on: July 17, 2016, 11:15:54 am »
    dercryed document with vvv extention

    Edit by sensadmin: I moved your post here, in a relative discussion.

    *

    Execute

    • *****
    • 203
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #9 on: July 18, 2016, 10:19:12 am »
    @Carlosacroi, what do you mean by that quote?  :-\
    I did not understand - do you have the same problem?

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    sktthemes

    • *
    • 1
    • +0/-0
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #10 on: December 20, 2016, 10:29:59 am »
    hello, Can you help me?

    *

    Execute

    • *****
    • 203
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Restore .vvv Files Encrypted by TeslaCrypt Ransomware
    « Reply #11 on: December 20, 2016, 11:34:37 am »
    hello, Can you help me?

    Hello.
    Maybe. What do you need help with?
    There is no place like 127.0.0.1

     


    Facebook Comments