You are welcome to discuss various security topics with our professional team and other users like you!
Read our Registration Agreement and create your FREE account here!

*

mcinn

  • **
  • 68
  • +26/-0
      • View Profile
HELP! My files were encrypted with strong RSA-4096 encryption!
« on: December 14, 2015, 04:39:16 pm »
Research indicates that a new ransomware or a new variant of a well-known ransomware is currently using RSA-4096 encryption algorithm. This is how the ransomware message file, dropped in all folders looks like:

Quote
NOT YOUR LANGUAGE? USE https://translate.google.com
What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.[...]

The infection process most likely follows the following mechanism:

The user receives a suspicious email containing an infected link ->The user is redirected to a page that hosts the Nuclear EK (or some other exploit kit)-> Trojan:Win32/Miuref:B, or another infostealer, harvests information about the system-> If the system ‘meets’ the requirements (e.g. the Trojan checks if the system is 32-bit), the ransomware payload is dropped onto it.

More information about the strong RSA-4096 encryption find here: http://sensorstechforum.com/rsa-4096-encryption-employed-by-ransomware/ Unfortunately, this encryption appears to be practically unbeatable.

If you have been affected by the ransomware employing the RSA-4096 encryption, share your experience. You can share the following details:
  • names of file extensions added to your files
  • the name of the Trojan that has dropped the ransomware (an AV program should detect it)
  • anything else you notice and find important to add here

We need to spread the word, so other users don't get attacked by the malicious threat.
« Last Edit: December 14, 2015, 04:55:50 pm by sensadmin »

Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #1 on: December 15, 2015, 04:20:01 pm »
My all files are encrypted with RSA-4096.

I can not open any file.They are asking for 500 USD for decryption key. Please anybody can help me to decrypt my files as i don’t have any backup restore. I found a ransomware file in my every folder with following message.

NOT YOUR LANGUAGE? USE https://translate.google.com

What happened to your files ?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

How did this happen ?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://k5fxm4dl35qk323d.justmakeapayment(.)com/C4C7E228B871A3A4
2. http://phfnchd6d3frwe84.brsoftpayment(.)com/C4C7E228B871A3A4
3. http://tsbfdsv.extr6mchf(.)com/C4C7E228B871A3A4
4. https://o7zeip6us33igmgw.onion(.)to/C4C7E228B871A3A4
 
5. https://o7zeip6us33igmgw.tor2web(.)org/C4C7E228B871A3A4
 
6. https://o7zeip6us33igmgw.onion(.)cab/C4C7E228B871A3A4
 
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject(.)org/projects/torbrowser(.)html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: o7zeip6us33igmgw(.)onion/C4C7E228B871A3A4
4. Follow the instructions on the site.

IMPORTANT INFORMATION:
Your personal pages:
http://k5fxm4dl35qk323d.justmakeapayment(.)com/C4C7E228B871A3A4
http://phfnchd6d3frwe84.brsoftpayment(.)com/C4C7E228B871A3A4
http://tsbfdsv.extr6mchf(.)com/C4C7E228B871A3A4
https://o7zeip6us33igmgw.onion(.)to/C4C7E228B871A3A4 
Your personal page (using TOR-Browser): o7zeip6us33igmgw(.)onion/C4C7E228B871A3A4
Your personal identification number (if you open the site (or TOR-Browser's) directly): C4C7E228B871A3A4

looking forward for help...

Edit by Admin: I have modified the links, so they are unclickable (just in case).
« Last Edit: May 25, 2018, 11:50:58 am by sensadmin »

*

mcinn

  • **
  • 68
  • +26/-0
      • View Profile
Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #2 on: December 16, 2015, 11:56:57 am »
Hi, Ehtesham Javed,

Unfortunately, if you don't have a clean backup of your files, nothing can be done. This particular encryption is quite strong and for now there's no solution on how to beat it...

Nonetheless, you should read more about the TeslaCrypt ransomware and its ways:
http://sensorstechforum.com/remove-teslacrypt-rsa-4096-can-vvv-files-be-restored/

There are things you can do from now on to protect yourself from cyber threats, including backing up your data and improving your PC habits. In your current situation and without a decryption key you won't be able to restore the encrypted files. I am very sorry to be the one to tell you that!

Have you scanned your system with an anti-malware program to remove the leftovers of the ransomware? Do you have any suspicions about the way you got infected with it?
« Last Edit: December 16, 2015, 11:58:47 am by sensadmin »

*

Execute

  • *****
  • 359
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #3 on: January 07, 2016, 12:08:46 pm »
@Ehtesham Javed,

we tested around 10 different decryptors,
but only 1 of them tried to run and restore some files.
That was Kaspersky's Rakhni Decryptor.

No matter what the files were, pictures, documents etc,
Rakhni Decryptor failed to decrypt them, even after 8 days of trying:



We are currently performing tests using another method,
which hopefully will yield better results.

Best Regards,
Execute

*

mcerdem

  • *
  • 11
  • +0/-1
      • View Profile
Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #4 on: January 23, 2016, 09:54:13 pm »
@ Ehtesham Javed,

Did you decrypt your files ? also what are the extention of your encrypted files ?

Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #5 on: January 25, 2016, 12:35:22 pm »
No I didn't decrypt my files yet still looking for help....my files current extension is .VVV.

*

mcerdem

  • *
  • 11
  • +0/-1
      • View Profile
Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #6 on: January 27, 2016, 10:41:22 pm »
please send me your couple of vvv files or upload here and share the files as attachments.
« Last Edit: May 27, 2016, 12:35:48 pm by Execute »

*

Execute

  • *****
  • 359
  • +55/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: HELP! My files were encrypted with strong RSA-4096 encryption!
« Reply #7 on: May 27, 2016, 12:38:54 pm »
Now there is a solution! TeslaCrypt has been defeated!

This is the MASTER decryption key: 440241DD80FCC5664E86198DB716E08CE627D8D40C7EA360EA855C7EA360AE885C727A49EE

You can decrypt files encrypted by any variant/version of TeslaCrypt (.ccc, .vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .xxx, .ttt, .micro, .mp3 or with no extension).

In "The End of TeslaCrypt" article you can find more information about how to decrypt your files and about what tools you can use to do it!

If you still need help or have any questions, feel free to ask them!