Remove Cryptesla 2.2.0 and Restore .vvv Encrypted Files - How to, Technology and PC Security Forum |

Remove Cryptesla 2.2.0 and Restore .vvv Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Recently, it has been reported that a Trojan that is also ransomware called Cryptesla 2.2.0 downloads itself through an Adobe Flash vulnerability. It is better known as TeslaCrypt and encrypts files in a .vvv file format. In its latest installment it is distributed through the Angler Exploit Kit and has also compromised a WordPress blog related to The Independent.

NameCryptesla 2.2.0
TypeRansomware, Trojan
Short DescriptionThis ransomware is part of the TeslaCrypt family. It is distributed via a massive malware campaign using unpatched vulnerabilities of sites and plugins.
SymptomsThe Ransomware encrypts files and adds a .vvv extension to them. It creates files with decrypting instructions in almost every folder and creates a new ransom note.
Distribution MethodEmail Attachments from Spam Emails, Suspicious Sites, Exploit Kits
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Cryptesla 2.2.0
User ExperienceJoin our forum to discuss Cryptesla 2.2.0 Ransomware.

The new ransom note looks like this:


Cryptesla 2.2.0 Ransomware – Distribution Methods

The newest and most effective method of distribution for the Cryptesla 2.2.0 ransomware is through a vulnerability in the Adobe Flash Player. If you have a slightly older version of it, the Trojan automatically downloads TeslaCrypt, although it’s known to download CryptoLocker as well.

Another method of distribution is if you download an email attachment from an email that looks legitimate. This is one of the many emails that are reported to spread the ransomware:

→Dear Customer,
Please review the attached copy of your Invoice (number: NI237483478) for an amount of $500.32.
Thank you for your business.

The name of the attachment can be and inside a file can be found with the name. Most likely, there are other variations.

It may also be distributed by other malware from visiting suspicious websites or social networks and file sharing services.

Cryptesla 2.2.0 Ransomware – Technical Description

Once executed, the latest Cryptesla 2.2.0 ransomware will search for files with extensions known from previous variants:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After Cryptesla 2.2.0 threat finds files with these extensions, it will encrypt them with the extension “.vvv”. This variant is known to use RSA-2048 bit encryption algorithm.

The Trojan creates these registry entries:

    svv_e = “%Application Data%\[random filename].exe”
    *svv_e = “%Application Data%\[random filename].exe”

It does so to enable its automatic execution at each system startup.

It will also delete Shadow Volume Copies:

→%System%\vssadmin.exe delete shadows /all /Quiet deletes shadow volume copies

So, decryption is only possible, by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its Internet traffic and Internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. Another way to get your files back is to restore them if you have backups on an external storage device. The new ransom note looks like CryptoWall’s and CryptoLocker’s one. It is known to demand a sum like 500$ at first. We advise you to not pay the ransom, as there is no guarantee you will get a decryption key, let alone a working one. The ransomware can create thousands of files with the names: decrypt.exe, decrypt.html, and decrypt.txt, along with the ransom note files Howto_RESTORE_FILES.html, how_recover+abc.txt and how_recover+abc.html.

Remove Cryptesla 2.2.0 Ransomware Completely

To completely remove the Cryptesla 2.2.0 Ransomware from your computer, you should have at least some experience in removing viruses. We highly recommend you to back up your system files. Afterwards, carefully follow the instructions provided here:

1. Boot Your PC In Safe Mode to isolate and remove Cryptesla 2.2.0
2. Remove Cryptesla 2.2.0 with SpyHunter Anti-Malware Tool
3. Remove Cryptesla 2.2.0 with Malwarebytes Anti-Malware.
4. Remove Cryptesla 2.2.0 with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Cryptesla 2.2.0 in the future
NOTE! Substantial notification about the Cryptesla 2.2.0 threat: Manual removal of Cryptesla 2.2.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share