Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TeslaCrypt 3.0 and Restore .ttt Encrypted Files

The newest version of TeslaCrypt is here, and it is not playing about. In fact, it uses not one but three file extensions after it encrypts user files and one of them is the .ttt files. They have been reported by many users to be causing problems with their sensitive files. The variant still uses a strong RSA encryption algorithm and uses Onion routing (Tor) to mask the location of the cyber-criminals during the ransom payment of about 500 US dollars. All users affected by Tesla should look for alternative means of restoring or decrypting their data, some of which are provided after this article, instead of paying the ransom money for it.

NameTeslaCrypt 3.0
TypeRansomware
Short DescriptionThe Ransomware Trojan may encrypt user files and connect to a remote host to which sent the decryption keys. Its aim is to extort users for money in return of the decryption of the infected files.
SymptomsThe user may witness his files being encrypted with the .xxx, .ttt and .micro file extensions.
Distribution MethodVia malicious links or attachments online. Via Trojan.Download.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 3.0
User ExperienceJoin our forum to follow the discussion about TeslaCrypt 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The .ttt Ransomware – How Did I Get It

TeslaCrypt 3.0 may usually be spread through Trojan horses such as Miuref.B Trojan, which has been reported to download its previous version onto an infected computer.

Another way of such cyber-threat spreading may be the spam email campaigns that aim to send massively out messages to users via social networking spam bots or e-mail spamming technologies as well as comments on sites featuring third-party malicious web links. Such messages may contain malicious attachments that are either in archives or executable files. Some malicious files reported to infect users with malware were compromised macros of Microsoft Office or Adobe documents.

How Does the .ttt Extension Ransomware Work

Once activated on the user’s PC, the ransomware creates a randomly named .exe type of file in the User’s profile in the following location:

→Appdata/Roaming/{randomly named file}.exe

Once this file is started, it creates a registry entry in the Windows Registry Editor. It Is mockingly named “meryHmas” and is located in the following Registry key:

→HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas

As expected, the registry entry has set the random executable to run every time Windows starts using the above-mentioned location and custom data.

Furthermore, the ransomware may also create other registry entries:

→HKCU\Software\{randomfilename}
HKCU\Software\xxxsys

What is more, the ransomware then may begin to scan for files to encrypt and encode them. The file formats it scans for may be the following:

→sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After finishing the encryption process, some of the files may be changed with the .ttt file extension, for example:

→Encryptedpicture.jpg.ttt

The ransomware is also reported to create other files on the user’s desktop and other locations that contain the ransom payment instructions. The files are named as follows:

Howto_Restore_FILES.BMP
Howto_Restore_FILES.HTM
Howto_Restore_FILES.TXT

Interestingly enough the instructions are near identical to another notorious crypt-virus, called CryptoWall. Experts believe that this message has been used either to simplify and outsource the ransom payment using CryptoWall’s methods or to mask the actual identity of the virus.

teslacrypt-3.0-sensorstechforum

This very ransom message includes instructions on how to use Tor routing to establish an anonymous connection with the cyber-crooks and discuss the payment of the ransom money. It provides the affected user with a unique number that may identify him when anonymously communicating with them. It is strongly advisable NOT to pay the ransom money demanded by the TeslaCrypt 3.0 creators since it is no guarantee you will get your encoded data back plus it funds the cyber-criminals to develop further the crypto-virus and make it more sophisticated.

Remove .ttt Ransomware Completely and Reset Your Registry Permissions

To be able to completely be rid of TeslaCrypt 3.0, we advise you to isolate the virus by going offline first. After this, it is recommended to download an anti-malware scanner from a safe PC and transfer it to your computer to scan it. This will make sure all malicious registry entries and other objects are detected and terminated.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0
2. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
Optional: Using Alternative Anti-Malware Tools

Restoring Files Encrypted With .ttt Extension

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:
Kaspersky RectorDecryptor for RSA
Other Kaspersky Decryptors

Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

NOTE! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.