Remove TeslaCrypt 3.0 and Restore .ezz .xyz .exx Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove TeslaCrypt 3.0 and Restore .ezz .xyz .exx Encrypted Files

Reports have increased about a ransomware, called TeslaCrypt. The virus itself is reported to have a wide variety of file extensions and they keep reappearing on different infected systems. This particular variant of the ransomware uses a strong file encryption and pretends te be CryptoWall. Every user that has been affected by the virus is strongly advised not to fund the cyber-criminals with ransom money and manually cope with the threat, for which we have provided instructions after the article.

NameTeslaCrypt 3.0
TypeRansomware
Short Description The Ransomware Trojan may encrypt user files and connect to a remote host to which sent the decryption keys. Its aim is to extort users for money in return of the decryption of the infected files.
SymptomsThe user may witness his files being encrypted with the various file extensions.
Distribution Method Via malicious links or attachments online as well as exploit kits and JavaScript Trojans.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 3.0
User ExperienceJoin our forum to follow the discussion about TeslaCrypt 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

teslacrypt-3.0-sensorstechforum

TeslaCrypt 3.0 Ransomware – How Did I Get It

The infamous TeslaCrypt is spread through Trojan horses, which might have infected users before that via harmful e-mail attachments or malicious URLs. Trojan horses might obtain system info regarding mainly what protection and what operating system does the victim have. The Trojan then may connect to a remote host and download TeslaCrypt ransomware. One example used for older versions of Tesla is JS.Downloader.Trojan which is a malicious JavaScript Trojan which has been reported by Symantec researchers to contain and heavily obfuscate the infection by TeslaCrypt.

Besides that the ransomware may spread directly via malicious e-mail attachments or other malicious URLs over e-mail platforms, comments on websites and chat messages.

TeslaCrypt 3.0 – How Does It Work

Once this threat has been activated it drops its payload file in the following location with a random name, for example:

C:\Users\User(name)\AppData\Roaming\198dg931.exe

The ransomware then will tamper with Windows so that it creates several registry entries like the mocking meryHmas one:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas with settings for
“C:\Users\[username]\AppData\Roaming\}randomfilename{.exe”
HKCU\Software\}randomfilename{
HKCU\Software\xxxsys

The crypto-virus then uses its modules to scan for files to encrypt. It looks for files with the following file extensions:

After this, the ransomware may scan for and encrypt files with the following file extensions:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After finishing the encryption process the files encrypted may have the following file extensions added to them:

.xxx
.ttt
.ccc
.ecc
.exx
.vvv
.aaa
.abcor
.micro

After changing the extension, the ransomware may drop the following ransom notes:

→C:\Users\User\Desktop\Howto_Restore_FILES.BMP
C:\Users\User\Desktop\Howto_Restore_FILES.HTM
C:\Users\User\Desktop\Howto_Restore_FILES.TXT

These ransom notes aim to convince the user not to look for any other alternative and to pay the ransom money using the instructions featured in them.

Here is a part of the instructions featured in the ransom notes:

”What happened to your files?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
[…] IMPORTANT INFORMATION:
Your personal pages:
HTTP://{RANDOMSYMBOLS}(.)justmakeapayment.com/[…] HTTP:// {RANDOMSYMBOLS}(.)brsoftpayment.com/[…] HTTP://{RANDOMSYMBOLS}(.)com/[…] https:// {RANDOMSYMBOLS}(.)onion.to/[…] Your personal page (using TOR-Browser):
Your personal identification number (if you open the site (or TOR-Browser’s) directly): {ID}“

After seeing this message, the user may find their files without any icons and upon opening the files, Windows may display an error, stating they are corrupt.

Since the latest version of TeslaCrypt is available for sale on the black market, according to reports by Symantec researchers, users should beware of even more extensions that are new and unfamiliar to appear shortly. Symantec’s report on TeslaCrypt infections created on the 14th of December 2015 has shown a rapid increase in infections by this particular ransomware:

symantec-teslacrypt-research

TeslaCrypt Detections Histogram since August (Source: Symantec)

Experts believe that this variant is very sought after since it is very effective and the methods it uses to spread are cunning and bypass most protections. Users bot inexperienced and advanced should beware and take all the necessary precautions to protect their computer.

Remove TeslaCrypt 3.0 Completely

To be rid of this ransomware, we strongly advisable to isolate it by booting your device into Safe Mode without networking or stop your connection to the web. After this, we recommend installing anti-malware software which will scan your device and get rid of the payload of the ransomware and any associated objects, wherever they may be concealed.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0
2. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
4. Restore files encrypted by TeslaCrypt 3.0
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...