Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TeslaCrypt and Restore .vvv Encrypted Files

A new variant of the nefarious TeslaCrypt ransomware is circling the Web. This time, the malicious threat is encrypting files in a .vvv file format. Once it affects your system, it will create thousands of files inside multiple folders, along with “how_recover+abc” files to which a ransom note is attached.

teslacrypt-8-variant-.vvv-extension-decryption-page-ransom-note-decrypt-how-recover

NameTeslaCrypt
TypeRansomware, Ransomware Trojan
Short DescriptionEncrypts the user’s files. No decryption key is stored on the computer.
SymptomsEncrypts files with a .vvv extension, creates decrypt.exe, decrypt.html, and decrypt.txt files in almost every folder. Drops a new ransom note in how_recover+abc.html and how_recover+abc.txt files.
Distribution MethodEmail Attachments, Spam Emails, Suspicious Sites
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TeslaCrypt
User ExperienceJoin our forum to discuss the TeslaCrypt Ransomware.

TeslaCrypt Ransomware – How Did I Get It?

We have already seen other members of this ransomware family around the Web. Learn more about TeslaCrypt and AlphaCrypt.

Ransomware such as TeslaCrypt could enter your system in a number of ways.

The most common distribution method known is through malicious email attachments and spam emails. There are even cases, where the email body itself contains a malicious code and upon opening the email, the user infects his computer with it, even if he doesn’t open the attachment inside.

Social networks and file sharing services may also contain the TeslaCrypt ransomware, disguised as a regular file. Keep in mind that TeslaCrypt may hide in dubious websites as well. Once you visit such a website, you risk infecting your system with TeslaCrypt without you even knowing it.

TeslaCrypt Ransomware – Description

Once executed, the latest TeslaCrypt ransomware will search for files with more than 150 extensions, and more specifically the following ones:

→.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

After TeslaCrypt threat finds files with these extensions, it will encrypt them with the extension “.vvv”. This variant does not use data files like the previous one, nor does it store information about the decryption key on the compromised computer.

So, decryption is possible, by using a Network Sniffer to get the encryption key, while files are encrypted on your system. A Network Sniffer is a program and/or device monitoring data traveling over a network, such as its internet traffic and internet packets. If you have a sniffer set before the attack happened you might get information about the decryption key. Another way to get your files back is to restore them if you have backups on an external storage device. Other potential ways for decryption are included in the instructions at the end of the article.

In the ransom note it is described how you can pay the ransom with different currencies like, BitCoins, Ukash, and PayPal My Cash Cards. At the end of the note, there is an upload form, where you can test if the decryption will work:

teslacrypt-8-variant-.vvv-extension-decryption-page-ransom-note-decrypt-how-recover-test-file-support

We advise you not to pay the ransom, as there is no guarantee you will get a decryption key, let alone a working one. The ransomware can create thousands of files with the names: decrypt.exe, decrypt.html, and decrypt.txt, along with the ransom note files, how_recover+abc.txt and how_recover+abc.html.

Remove TeslaCrypt Ransomware Completely

To completely remove TeslaCrypt from your computer, you should have basic knowledge in removing viruses. We highly recommend you to back up your system files first. Afterwards, carefully follow the instructions provided here:

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt
2. Remove TeslaCrypt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by TeslaCrypt in the future
4. Restore files encrypted by TeslaCrypt
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the TeslaCrypt threat: Manual removal of TeslaCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

  • marco

    ok good explanation , but is there any way to encrypt files?

  • Hello,

    To all users who have had their files ENCRYPTED.

    The newest variant of TeslaCrypt is not yet analyzed so there may be very little chance to decrypt your files.

    But you can still try with the following decryption tools, mentioned in our forum:
    http://sensorstechforum.com/forums/malware-removal-questions-and-guides/restore-vvv-files-encrypted-by-teslacrypt-ransomware/

    Please, let the others know if it worked so that you can raise awareness.

    Thanks!

    • patrick

      bonjour
      moi aussi piégé par tesla….
      avez-vous du nouveau pour décrypter?
      merci

  • Lic. Omar Fierro

    buenas tardes,
    actualmente me encuentro que con este problema en el servidor de la empresa donde trabajo, que tan confiable y seguro son los pasos que sugieren para la solucion a este problema?
    bueno quedo en espera de sus comentarios, saludos…
    gracias.

  • Milena Dimitrova

    Hello Omar,

    Sorry to hear you have been attacked by TeslaCrypt.

    First of all, please tell us what you have done so far. Have you isolated the threat successfully?

    Please refer to the topic at our forum:

    http://sensorstechforum.com/forums/malware-removal-questions-and-guides/restore-vvv-files-encrypted-by-teslacrypt-ransomware/

  • Jorge

    Tengo todo encriptados en .vvv y no me funciono shadow explorer y trate con recuba y al recuperar sale como que nada se ha eliminado y me muestra los mismos archivos encriptados que podría hacer

    gracias

  • Cihan Erdem

    Dear Milena,

    First of all thank you very much for your useful comments for infected users, i read all above comments and other referenced pages too, we need to know how i can try “Network Sniffer” which wrote in this page, and with which software ? thanks in advance.

  • David

    Hola a todos, mi equipo con windows xp tambíen ha sido infectado y ahora todos los archivos están con extensión .vvv, habría alguna forma de desencriptar dichos archivos? he leido por ahí en muchas páginas que por el momento es completamente imposible…

    He probado varios programas de recuperación de archivos y no hay manera, ojala alguien pueda dar con alguna solucíon. Por el momento creo que he quitado el virus con malwarebytes

  • Samy

    je suis infecté par teslacrypt extension .vvv j’ai le script qui a posé pb est ce que de ce script je peux trouver la clé ?
    j’ai également le fichier d’origine et le fichier infecté en word et excel. je n’ai malheureusement pas trouver le fichier key.dat puis-je espérer décrypter mes fichiers svp ?
    merci par avance
    Samy

  • lucio

    buongiorno a tutti, quindi un modo per provare a recuperare i file crittati c’è o no ?? con cosa si può provare? io ho provato solo a rinominare il file ma non funziona.

  • Ouachic

    Bonjour tous le monde
    Mon pc est affecté par un virus ou je sais pas quoi, tous mes fichiers Word, PDF, et image ainsi que les xl sont devenu .vvv
    Veuillez m’informer sur une solution SVP

    Cordialement

    Ouachic

    • Steph

      J’ai exactement le même problème depuis ce matin,
      avez-vous une réponse ?
      Merci

  • Eric

    Même chose pour moi … infecter depuis ce matin … tout mes fichier, tonne de photo de famille / voyage etc est rendu avec l’extension .VVV …. Est-ce Teslacrypt, Cryptowall,Cryptolocker….. bref je suis legerement paniquer en ce moment. Je suis presentement en train de scanner mon PC avec SpyHunter 4 …. est-ce la bonne marche a suivre ?
    Est-ce que Spyhunter seras en mesure de suprimer ce virus ?
    Il y a t’il espoir de reussir a tout decrypter ou ma seule alternative serais de payer la foutu rencon ?

    Merci a l’avance … d’un père de famille bien désespérer … McAfee antivirus … gros ZERO !!!

  • Milena Dimitrova

    Hello Eric and Steph, an antivirus program should remove the leftovers of the ransomware. However, it won’t be able to decrypt the encrypted files. Please keep in mind that every infection is unique, and that there are may be more variants of the same ransomware.

    You can find information about decryptors here: http://sensorstechforum.com/forums/malware-removal-questions-and-guides/restore-vvv-files-encrypted-by-teslacrypt-ransomware/

  • Pedro

    Hallo, leider funktioniert keiner der Links zum Forum?!

    “Nichts gefunden
    > 404
    Entschuldigen Sie bitte, aber keine Ergebnisse wurden für Ihre Anfrage gefunden. Vielleicht suchen helfen Sie zu finden verwandten Inhalten.”

    Ich habe den Tesla Crypt eliminiert mit Spy Hunter.
    Was bleibt sind .vvv Dateianhänge an Dateien wie .pdf .docx .doc .xls .bmp .png .pst // ect.
    Mit welchen Programmen kann ich testen zum Encrypten der Dateien??

  • Luke Miller

    Does anyone know if this version drops files in particular locations? Or leaves clues to its presence in the registry, etc.?

  • Luke Miller

    Also, is there a Trojan involved in this? If so, where might its location be?

    • Hey Luke!

      TeslaCrypt is a Trojan horse ransomware. This means that it is a Trojan itself, and it was spread with other malware.

      There were executables that dropped with the ransomware in these locations:

      %Temp%
      %AppData%
      %LocalAppData%
      %ProgramData%
      %WinDir%
      or randomly in the C: drive.

      But no data for the key was dropped for this variant, neither was the Windows Registry tampered by it.

      Fortunately, this ransomware case has already been resolved : http://sensorstechforum.com/teslacrypt-master-decryption-key-available/

      Stay tuned!

      STForum

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.