Remove TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files

Users have reported that their files have been encoded with the .xxx and .ttt file extensions. The main culprit for this is called TeslaCrypt, and it has quite a reputation amongst ransomware viruses. The third variant of TeslaCrypt claims to use an encryption algorithm that is near impossible to break. Furthermore, the messages that are dropped resemble another famous ransomware virus, and many believe the two threats are created by the same hacking team. All users who have been affected should not pay any ransom money, remove the threat and try decrypting their files or restoring them via backup, instructions for which are provided after the article.

NameTeslaCrypt 3.0
TypeRansomware
Short DescriptionThe Ransomware Trojan may encrypt user files and connect to a remote host to which sent the decryption keys. Its aim is to extort users for money in return of the decryption of the infected files.
SymptomsThe user may witness his files being encrypted with the .xxx and .ttt file extensions.
Distribution MethodVia malicious links or attachments online.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt 3.0
User ExperienceJoin our forum to follow the discussion about TeslaCrypt 3.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

shutterstock_240798115

TeslaCrypt 3.0 Ransomware – How Did I Get It

Such ransomware is spread via Trojans that may have previously infected the user PC. This is very effective since the Trojans may obtain system information about the version of the OS as well as the security software in the machine. One of the Trojans used to download TeslaCrypt is reported to be Miuref.B Trojan.

Another method the ransomware may use is via links shared in Spam messages and malicious email attachments. Such emails may resemble a reputable service like Windows 10 Free Upgrade or any of such type. Users should beware what they open online and always perform a backup to revert any damage caused by the TeslaCrypt 3.0 infection.

TeslaCrypt 3.0 – How Does It Work

Once the malicious payload carrying file has been activated on the victim computer, the virus may create a random named .exe file in the following directory, for example:

C:\Users\User(name)\AppData\Roaming\12d120h21d.exe

After creating this file, the ransomware may create these registry entries for it in the Windows Registry Editor so that it starts when Windows boots up:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas with settings for “C:\Users\[username]\AppData\Roaming\}randomfilename{.exe”
HKCU\Software\}randomfilename{
HKCU\Software\xxxsys

After this, the ransomware may scan for and encrypt files with the following file extensions:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After encrypting the user’s files their extension may be changed to .xxx or .ttt. The next step for the ransomware may be to create the following files on the user’s desktop:

C:\Users\User\Desktop\Howto_Restore_FILES.BMP
C:\Users\User\Desktop\Howto_Restore_FILES.HTM
C:\Users\User\Desktop\Howto_Restore_FILES.TXT

These files all contain the following ransom instructions:

→”What happened to your files?
All of your files were protected by a strong encryption with RSA-4096.
More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
How did this happen?
!!! Specially for your PC was generated personal RSA-4096 KEY, both public and private.
!!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
[…] IMPORTANT INFORMATION:
Your personal pages:
HTTP://[SYMBOLS](.)justmakeapayment.com/[…] HTTP://[SYMBOLS](.)brsoftpayment.com/[…] HTTP://[SYMBOLS].com/[…] https://[SYMBOLS].onion.to/[…] Your personal page (using TOR-Browser):
Your personal identification number (if you open the site (or TOR-Browser’s) directly): […]

After seeing this the user may witness his/her files without a file icon and upon opening may message similar to:

“This file is corrupt.”

Finally the ransom message includes instructions on how to use Tor networking in order to contact the cybercriminals in an anonymous matter and discuss the ransom payment for file decryption. Experts advise affected users NOT to pay any ransom money because this funds the cyber crime organization to sophisticate the threat and may not bring back the files.

Remove TeslaCrypt 3.0 Completely and Clean Your Registry

In order to fully remove TeslaCrypt, it is important to isolate the threat first. This can happen if you stop your internet connection. Then it is advisable to install an anti-malware tool to scan your computer and remove the malicious modules of the virus.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt 3.0
2. Remove TeslaCrypt 3.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0 in the future
Optional: Using Alternative Anti-Malware Tools

After removing the malicious objects, there still may be some modified registry entries. To reset your registry permissions for free, you may want to check out the below-mentioned instructions.

How To Reset Registry Permissions In Windows and Fix Errors

Restoring Files Encrypted With .xxx and .ttt Extensions

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other methods. Here are several suggestions:

To restore your data, your first bet is to check again for shadow copies in Windows using this software:

Shadow Explorer

If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and other encryption algorithms:
Kaspersky RectorDecryptor for RSA
Other Kaspersky Decryptors

Another method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:

For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restore Files Encrypted via RSA Encryption

You may also want to follow the discussions in our forum and ask for help, or share your experience:

Files Encrypted With Random File Extensions
Restore .vvv Files Encrypted by TeslaCrypt Ransomware
Restore Files Encrypted With .xxx .ttt and .micro File Extensions
Files Encrypted With Random File Extensions

NOTE! Substantial notification about the TeslaCrypt 3.0 threat: Manual removal of TeslaCrypt 3.0 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.