Remove TeslaCrypt 3.0 and Restore .ttt Encrypted Files - How to, Technology and PC Security Forum |

Remove TeslaCrypt 3.0 and Restore .ttt Encrypted Files

The newest version of TeslaCrypt is here, and it is not playing about. In fact, it uses not one but three file extensions after it encrypts user files and one of them is the .ttt files. They have been reported by many users to be causing problems with their sensitive files. The variant still uses a strong RSA encryption algorithm and uses Onion routing (Tor) to mask the location of the cyber-criminals during the ransom payment of about 500 US dollars. All users affected by Tesla should look for alternative means of restoring or decrypting their data, some of which are provided after this article, instead of paying the ransom money for it.

NameTeslaCrypt 3.0
Short DescriptionThe Ransomware Trojan may encrypt user files and connect to a remote host to which sent the decryption keys. Its aim is to extort users for money in return of the decryption of the infected files.
SymptomsThe user may witness his files being encrypted with the .xxx, .ttt and .micro file extensions.
Distribution MethodVia malicious links or attachments online. Via Trojan.Download.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 3.0
User ExperienceJoin our forum to follow the discussion about TeslaCrypt 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

The .ttt Ransomware – How Did I Get It

TeslaCrypt 3.0 may usually be spread through Trojan horses such as Miuref.B Trojan, which has been reported to download its previous version onto an infected computer.

Another way of such cyber-threat spreading may be the spam email campaigns that aim to send massively out messages to users via social networking spam bots or e-mail spamming technologies as well as comments on sites featuring third-party malicious web links. Such messages may contain malicious attachments that are either in archives or executable files. Some malicious files reported to infect users with malware were compromised macros of Microsoft Office or Adobe documents.

How Does the .ttt Extension Ransomware Work

Once activated on the user’s PC, the ransomware creates a randomly named .exe type of file in the User’s profile in the following location:

→Appdata/Roaming/{randomly named file}.exe

Once this file is started, it creates a registry entry in the Windows Registry Editor. It Is mockingly named “meryHmas” and is located in the following Registry key:


As expected, the registry entry has set the random executable to run every time Windows starts using the above-mentioned location and custom data.

Furthermore, the ransomware may also create other registry entries:


What is more, the ransomware then may begin to scan for files to encrypt and encode them. The file formats it scans for may be the following:

→sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After finishing the encryption process, some of the files may be changed with the .ttt file extension, for example:


The ransomware is also reported to create other files on the user’s desktop and other locations that contain the ransom payment instructions. The files are named as follows:


Interestingly enough the instructions are near identical to another notorious crypt-virus, called CryptoWall. Experts believe that this message has been used either to simplify and outsource the ransom payment using CryptoWall’s methods or to mask the actual identity of the virus.


This very ransom message includes instructions on how to use Tor routing to establish an anonymous connection with the cyber-crooks and discuss the payment of the ransom money. It provides the affected user with a unique number that may identify him when anonymously communicating with them. It is strongly advisable NOT to pay the ransom money demanded by the TeslaCrypt 3.0 creators since it is no guarantee you will get your encoded data back plus it funds the cyber-criminals to develop further the crypto-virus and make it more sophisticated.

Remove .ttt Ransomware Completely and Reset Your Registry Permissions

To be able to completely be rid of TeslaCrypt 3.0, we advise you to isolate the virus by going offline first. After this, it is recommended to download an anti-malware scanner from a safe PC and transfer it to your computer to scan it. This will make sure all malicious registry entries and other objects are detected and terminated.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0
2. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
Optional: Using Alternative Anti-Malware Tools

Restoring Files Encrypted With .ttt Extension

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:
Kaspersky RectorDecryptor for RSA
Other Kaspersky Decryptors

Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

NOTE! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share