Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove TeslaCrypt RSA-4096. Can .vvv Files Be Restored?

ransomware-virus

TeslaCrypt, also known as AlphaCrypt, Cryptesla, and Tescrypt is one of the most prevalent crypto viruses (or ransomware) at the moment, the other one being CryptoWall. Recently, we witnessed a freshly updated version of TeslaCrypt.

This version was encrypting the user’s files, appending a .vvv extension to them and adding how_recover+abc files in multiple folders. Just a few weeks later, we’re already witnessing another updated version of TeslaCrypt’s .vvv variant, using even stronger encryption – RSA-4096.

Threat Summary

NameTeslaCrypt RSA-4096
TypeRansomware
Short DescriptionA new version of TeslaCrypt has employed the RSA-4096 algorithm.
SymptomsThe .vvv extendion is appended to the victim’s files.
Distribution MethodVia exploit kits, suspicious emails, etc.
Detection Tool See If Your System Has Been Affected by TeslaCrypt RSA-4096

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RSA-4096 Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Learn more about RSA-4096 algorithm

TeslaCrypt RSA-4096 Version Technical Description

Let’s call this new version of the rasomware TeslaCrypt RSA-4096. What is the difference between the previous known version and this one? Basically, the main change is in the encryption key. The latest version of TeslaCrypt has adopted an encryption algorithm known to be practically impossible to decrypt. The decryption process of RSA-4096 would take hundreds, maybe thousands of years to decrypt, even with the assistance of a super computer.

BleepingComputer has classified all the variants of TeslaCrypt in accordance with the file extensions they append to the victim’s files.

Here is the list:

TeslaCrypt Version 1

Extension – adds .ecc extension
Decryption – yes, with the help of TeslaDecoder

TeslaCrypt Version 2

Extension – .ecc
Decryption – yes, with the help of TeslaDecoder

N.B. With these versions of TeslaCrypt decryption is possible in cases when the decryption key was zeroed out but partial key was still available in key.dat. Moreover, the decryption key could also be obtained from TeslaCrypt’s request sent to the server. This ‘mistake’ was fixed with the next version.

TeslaCrypt Version 3

Extension – adds .ecc, .ezz extensions
Decryption – yes, with the help of TeslaDecoder

N.B. With this version, it’s already impossible to recover the original decrypton key without the private key only known by the ransomware’s authors. However, decryption key could be obtained from TeslaCrypt’s request to the server.

TeslaCrypt Version 4

Extension– adds .ezz, .exx extensions
Decryption – yes, with the help of TeslaDecoder

N.B. With this version, it’s again impossible to recover the original decrypton key without the private key only known by the ransomware’s authors. However, decryption key could be obtained from TeslaCrypt’s request to its server.

TeslaCrypt Version 5

Extension – adds .xyz, .zzz, .aaa, .abc, .ccc extensions
Decryption – only possible if the victim succeeded in capturing the key while being sent to the server at the time of encryption.

TeslaCrypt Version 6

Extension – adds .xyz, .zzz, .aaa, .abc, .ccc extensions
Decryption – no known way to decrypt the files without the decryption key sent by the ransomware’s authors; only possible if the victim succeeded in capturing the key while being sent to the server at the time of encryption.

TeslaCrypt Version 7

Extension – adds .ccc extension
Decryption – decryption is only possible, if the victim succeeded in capturing the key during the encryption process in the memory of the machine.

TeslaCrypt Version 8

Extension – adds .vvv extension
Decryption – decryption is only possible, if the victim succeeded in capturing the key during the encryption process in the memory of the machine.

TeslaCrypt RSA-4096 Version

As already mentioned, this updated version of TeslaCrypt appends the .vvv extension to the victim’s files.

Victims of the ransomware have reported that their files have been changed to ‘[file name].docx.vvv’. Also, how_recover+nsv.html and how_recover+nsv.txt files are dropped in every folder.

The Trojan dropping the ransomware has been detected to be Trojan:Win32/Miuref:B – an infostealer type of Trojan. Other Trojans may be used in the malicious operation as well.

It’s also important to note that the main executable files that are responsible for the encryption process were most likely deleted after completion of encryption. Also, once TeslaCrypt has finished encrypting the victim’s files, it typically deletes itself. The only traces left are the ransom notes. If an AV program is present on the victim’s system, it should have cleaned off any leftovers of the ransomware.

According to the November update article by Microsoft’s Technet, Microsoft Malicious Software Removal Tool should be updated and able to detect TeslaCrypt. Microsoft’s detection names for TeslaCrypt are Tescrypt, Win32/Tescrypt, Ransom:Win32/Tescrypt.

However, no AV program released by Microsoft or another vendor is able to decrypt files encrypted by ransomware. For now.

What Should Users Attacked by TeslaCrypt RSA-4096 Do?

Unfortunately, files encrypted with the strong RSA-4096 algorithm cannot be decrypted, except when a decryption key sent by the ransomware’s authors is used. As you probably know, security researchers never advise on paying the demanded ransom. Ransomware has evolved so much because cyber crime groups have gathered enough resources and were able to improve their products.

The only way to decrypt your files (besides paying for the decryption key) is if you have an external backup that was kept offline.

Once you have removed the threat via an anti-malware program or manually, you can use your backup solutions to restore the encrypted files. However, if you haven’t regularly backed up your files, nothing can be done.

Encryption by earlier versions of TeslaCrypt could be broken because these versions stored the private key on the local disk. Decryption could also be done via Cisco’s Talos Group Decryptor and TeslaDecoder. However, later versions were improved and ‘mistakes’ made by earlier versions were fixed. TeslaCrypt RSA-4096, in particular, has used an encryption so strong that it could take years for a super computer to decipher the encrypted information.

Is There Any Protection against Ransomware?

Besides sustaining a strong anti-malware program and all the ‘classical’ protection methods to guard the system (combination of anti-malware and anti-virus, external firewall, etc.), there are some tools such as Shadow Defender designed to protect against ransomware such as TeslaCrypt RSA-4096.

What Is Shadow Defender?

Shadow Defender is a security solution for Windows systems. The tool can run in a virtual environment called Shadow Mode which redirects each system change to a virtual environment with no change to the real one. The virtual environment is also known as Light Virtualization. In other words, Shadow Defender can restore the system to its original state, or before the particular infection took place. We haven’t tested the solution, so we cannot confirm that it works on ransomware cases. However, users who have tried it have shared positive opinions. The only weak spot of the solution appears to be rootkit-related. The operator of the rootkit could disable the tool or delete its databases, stripping it from its capability to restore the system to an uninfected state.

Finally, if you have been hit by TeslaCrypt RSA-4096 or another ransomware and you haven’t cleaned your system, refer to the removal options below the article.

You can also refer to our forum where you can start a topic and receive help.

Manually delete TeslaCrypt RSA-4096 from your computer.

Note! Substantial notification about the TeslaCrypt RSA-4096 threat: Manual removal of TeslaCrypt RSA-4096 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove TeslaCrypt RSA-4096 files and objects
2.Find malicious files created by TeslaCrypt RSA-4096 on your PC
3.Fix registry entries created by TeslaCrypt RSA-4096 on your PC

Automatically remove TeslaCrypt RSA-4096 by downloading an advanced anti-malware program

1. Remove TeslaCrypt RSA-4096 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by TeslaCrypt RSA-4096 in the future
3. Restore files encrypted by TeslaCrypt RSA-4096
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

  • Christian

    Bonjour, à tous !
    Mes fichiers ont été cryptés en RSA-4096, mais ce n’est pas TeslaCrypt…
    On m’a demandé une rançon…Il y a quelqu’un qui a payé déjà ? Tout c’était bien passé ?
    Merci !

    • Milena Dimitrova

      Hi Christian,

      Can you please send us the ransom message, or copy its text? Also, what extensions are appended to your files? Here is a topic about RSA-4096 encryption, you can write there as well: http://sensorstechforum.com/forums/malware-removal-questions-and-guides/help!-my-files-were-encrypted-with-strong-rsa-4096-encryption!/

      Please provide us with more information so that we can try and help you.

      • Christian

        Bonjour,

        Ci-après, le message reçu :

        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

        NOT YOUR LANGUAGE? USE https://translate.google.com

        What happened to your files ?
        All of your files were protected by a strong encryption with RSA-4096.
        More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) […]

        L’extension est “vvv”.

        Quelqu’un qui s’y connait a essayé de récupérer mes fichiers, mais il n’a pas arrivé…D’après lui, c’est une nouvelle version du CryptoWall

        Je ne sais pas comment le virus a infecté le PC…je n’ai pas ouvert des emails et je ne pas navigué sur des sites douteux.
        J’ai scanné le PC et les outils utilisés n’ont rien trouvé…

        Pour moi, maintenant est important de récupérer les fichiers ; c’est pour cela que j’ai demandé si quelqu’un a payé la rançon…le délai accordé approche…

        Merci !

        • Milena Dimitrova

          Hi again,

          We believe that the ransomware is TeslaCrypt. TeslaCrypt has used the .vvv extensions before.

          TeslaCrypt or CryptoWall, RSA-4096 encryption is very difficult (close to impossible) to decrypt. Has your friend tried any decryptor tools such as TeslaDecoder? Do you have a clean backup of your files?

          • Christian

            Re-bonjour,
            Oui, on a essayé TeslaDecoder, mais sans succès..il ne s’agit pas de Teslacrypt, d’après lui..
            Au début, il a eu la même opinion…que c’était Teslacrypt, mais après la vérification avec TeslaDecoder, il s’est rendu compte que ce n’était pas Teslacrypt.
            Non, je n’ai aucun backup…c’est pour cela que je prends en calcul de payer la rançon…c’est vrai que je n’ai pas pris une décision, mais c’est la seule possibilité de récupérer mes dossiers.
            Merci !

  • VP

    Hi,

    there is newer version that make extensions .xxx
    Infortunatelly my friend got this.
    If there is some way to decript i’ll apreciate this.
    I have enough computer power available to use for decription even if need a lot of time.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.