Remove TeslaCrypt 3.0 and Restore .xxx Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove TeslaCrypt 3.0 and Restore .xxx Encrypted Files

Users have reported that the latest version of TeslaCrypt has the ability to infect users with three types of extensions – .ttt, .xxx and .micro. The ransomware Trojan has been reported by researchers to use a strong RSA encryption algorithm. Furthermore, its ransom message and instructions are identical to another ransomware infection, called CryptoWall. All users who have their files encrypted with one of the extensions should immediately take actions into removing the virus and restoring their files. Paying the ransom money Is strongly NOT advisable.

NameTeslaCrypt 3.0
TypeRansomware
Short DescriptionThe Ransomware Trojan may encrypt user files and connect to a remote host to which sent the decryption keys. Its aim is to extort users for money in return of the decryption of the infected files.
SymptomsThe user may witness his files being encrypted with the .xxx, .ttt and .micro file extensions.
Distribution MethodVia malicious links or attachments online.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 3.0
User ExperienceJoin our forum to follow the discussion about TeslaCrypt 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

p3_0000

The .xxx Ransomware – How Did I Get Infected

The 3rd version of TeslaCrypt is usually downloaded by a Trojan.Downloader, that has previously infected the victim’s PC. Such Trojan may open up a port, connect to the cyber-criminal’s host and transfer information about the user system. This information may then be used to successfully download the .xxx extension Ransomware’s executable on the user PC. One of the downloaders used to spread a TeslaCrypt variant is reported to be Miuref.B Trojan.

Other methods of infection may include redirecting web links or malicious e-mail attachments.

How Does the .xxx Extension Ransomware Work

After it has been activated, the ransomware may begin to create an exe file which may be located in the following location:

→C:/Users/{username}/AppData/Roaming/{randomly named file}.exe

Once started the file may tamper with Windows Registry Editor to create the following registry enties:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas with custom data in it to set it to run everytime Windows starts.
  • HKCU\Software\{randomfilename}
  • HKCU\Software\xxxsys

The module of the ransomware may begin to scan for different files in order to encrypt them and make them seem corrupt upon opening. Here are some of the extensions, TeslaCrypt may encode:

→sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After the encryption of the files has completed they may be changed with the .xxx extension. An example for an encrypted file is:

→Encryptedpicture.jpg.ttt

The crypto-virus has also been reported to create ransom note files on the user’s desktop.

→Howto_Restore_FILES.BMP
Howto_Restore_FILES.HTM
Howto_Restore_FILES.TXT

They contain a message almost identical to CryptoWall, making it more difficult to identify that the virus is actually TeslaCrypt. The ransom message also features a custom code for the affected user and instructions on how to use Tor networking to contact the cyber-criminals anonymously. The ransom money demanded is around 500 US dollars.

Furthermore, TeslaCrypt 3.0 may have the ability to delete volume shadow copies in Windows and it may become increasingly sophisticated with time. Since paying ransom money for the files Is no guarantee that they will be restored back to normal it is not advisable to do it. In addition to that, this allows cyber-crooks to further develop their cyber-threat.

Remove .xxx Ransomware Completely and Reset Your Registry Permissions

In order to completely be rid of TeslaCrypt 3.0, it is strongly recommended to go into Safe Mode and be offline to isolate the threat and any third-party applications. After doing so we advise scanning your computer with an advanced anti-malware scanner that will discover and delete the malicious files of the TeslaCrypt ransomware. This will ensure that all objects associated with the crypto-virus besides the encrypted files plus others are removed permanently.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0
2. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
Optional: Using Alternative Anti-Malware Tools

Restoring Files Encrypted With .xxx and Extensions

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:
Kaspersky RectorDecryptor for RSA
Other Kaspersky Decryptors

Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

NOTE! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.