Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Cryptesla 2.2.0 and Restore .vvv Encrypted Files

Recently, it has been reported that a Trojan that is also ransomware called Cryptesla 2.2.0 downloads itself through an Adobe Flash vulnerability. It is better known as TeslaCrypt and encrypts files in a .vvv file format. In its latest installment it is distributed through the Angler Exploit Kit and has also compromised a WordPress blog related to The Independent.

Name Cryptesla 2.2.0
Type Ransomware, Trojan
Short Description This ransomware is part of the TeslaCrypt family. It is distributed via a massive malware campaign using unpatched vulnerabilities of sites and plugins.
Symptoms The Ransomware encrypts files and adds a .vvv extension to them. It creates files with decrypting instructions in almost every folder and creates a new ransom note.
Distribution Method Email Attachments from Spam Emails, Suspicious Sites, Exploit Kits
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by Cryptesla 2.2.0
User Experience Join our forum to discuss Cryptesla 2.2.0 Ransomware.

The new ransom note looks like this:

STF-Cryptesla-2.2.0-ransomware-ransom-note-decrypt-instruction-html

Cryptesla 2.2.0 Ransomware – Distribution Methods

The newest and most effective method of distribution for the Cryptesla 2.2.0 ransomware is through a vulnerability in the Adobe Flash Player. If you have a slightly older version of it, the Trojan automatically downloads TeslaCrypt, although it’s known to download CryptoLocker as well.

Another method of distribution is if you download an email attachment from an email that looks legitimate. This is one of the many emails that are reported to spread the ransomware:

→Dear Customer,
Please review the attached copy of your Invoice (number: NI237483478) for an amount of $500.32.
Thank you for your business.

The name of the attachment can be copy_invoice_89518498.zip and inside a file can be found with the http://softextrain64.com/86.exe name. Most likely, there are other variations.

It may also be distributed by other malware from visiting suspicious websites or social networks and file sharing services.

Cryptesla 2.2.0 Ransomware – Technical Description

Once executed, the latest Cryptesla 2.2.0 ransomware will search for files with extensions known from previous variants:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After Cryptesla 2.2.0 threat finds files with these extensions, it will encrypt them with the extension “.vvv”. This variant is known to use RSA-2048 bit encryption algorithm.

The Trojan creates these registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run
    svv_e = “%Application Data%\[random filename].exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\RunOnce
    *svv_e = “%Application Data%\[random filename].exe”

It does so to enable its automatic execution at each system startup.

It will also delete Shadow Volume Copies:

→%System%\vssadmin.exe delete shadows /all /Quiet deletes shadow volume copies

So, decryption is only possible, by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its Internet traffic and Internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. Another way to get your files back is to restore them if you have backups on an external storage device. The new ransom note looks like CryptoWall’s and CryptoLocker’s one. It is known to demand a sum like 500$ at first. We advise you to not pay the ransom, as there is no guarantee you will get a decryption key, let alone a working one. The ransomware can create thousands of files with the names: decrypt.exe, decrypt.html, and decrypt.txt, along with the ransom note files Howto_RESTORE_FILES.html, how_recover+abc.txt and how_recover+abc.html.

Remove Cryptesla 2.2.0 Ransomware Completely

To completely remove the Cryptesla 2.2.0 Ransomware from your computer, you should have at least some experience in removing viruses. We highly recommend you to back up your system files. Afterwards, carefully follow the instructions provided here:

1. Boot Your PC In Safe Mode to isolate and remove Cryptesla 2.2.0
2. Remove Cryptesla 2.2.0 with SpyHunter Anti-Malware Tool
3. Remove Cryptesla 2.2.0 with Malwarebytes Anti-Malware.
4. Remove Cryptesla 2.2.0 with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Cryptesla 2.2.0 in the future
NOTE! Substantial notification about the Cryptesla 2.2.0 threat: Manual removal of Cryptesla 2.2.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.