Decrypt Teslacrypt and Remove Teslacrypt Ransomware [Update]

0
913

This page is here to help you decrypt Teslacrypt encrypted files (.ecc, .ezz, .vvv files) and to permanently remove Teslacrypt ransomware from your computer.

TeslaCrypt is a trojan-ransomware invader that encrypts a systems files (so it is sometimes also referred to as cryptoware). It invades a computer in a number of ways (details below) and goes about encoding all – or targeted types of file – with an as yet unbreakable cypher. Then, as the name suggests it demands a ransom in Bitcoin (to the equivalent of $3-500 U.S) in return for the key to restore your data. A new version of the TeslaCrypt has been discovered by researchers – and victims. It has been designated TeslaCrypt 2.0 and first emerged mid 2015. Perhaps as an inside joke, or perhaps as an obfuscation to confuse – it carries some of the visual appearances of another as yet un-cracked cryptoware virus. A more concerning advance is the increased sophistication of the encryption method (there has been some progress to decrypt earlier versions). Unlike many similar infections, the encryption can begin before the trojan has connected with its control server which makes it more efficient – and more difficult to stop before complete encryption is accomplished. If detected, delete TeslaCrypt immediately, or prepare to pay with your cash or data or time. In the ransomware category it is estimated last year to have accounted for 39% of U.S infections compared with the U.K and Canada at 7% and 6% respectively. As mentioned, TeslaCrypt can be commanded to take control of specific file types. This latest version is predominantly targeting/locating on-line video gamers and their files to become established, then goes on to encrypt financial and tax documents. This is not to say that non-gamers are safe, and it also poses the threat that the financial documents could be used by the hackers, regardless whether a ransom is paid or not. This is one reason to get rid of TeslaCrypt quickly – or better, to prevent it from ever infecting your system

How TeslaCrypt Enters a System

As with most malware, there are several methods of infection though usually there is one common way a specific version/variant invades. Whether this is by design of the creators or simply a trend is often unclear, though each virus seems to have a specialty – TeslaCrypt prefers exploit kits (EK’s). This hackware sits on compromised or dubious websites and scans for operating system vulnerabilities of visitors (in this instance on gaming forums, blogs and download ‘sites). If a vulnerability is found, then the trojan is ‘dropped’ and it’s possible to end browsing without any knowledge of the infection. The other ways of being compromised are: opening inviting-looking spam/fake official e-mails and being convinced to open a link or attachment; clicking on fake pop-ups for freeware updates; downloading the trojan in a bundle of freeware; remote hacking using RDP (remote desktop protocol) weaknesses. With good practice and capable security, preventing TeslaCrypt is straightforward – after infection, things can become complicated…

decrypt teslacrypt

What to do if Infected with TeslaCrypt

If you have strong security software with current updates, you will see its presence before it can enter your p.c’s system (it will be quarantined). With some good A/V scans, you may detect it inside the system if it managed to evade your present security. If it’s discovered early enough, deleting TeslaCrypt could save data. If your system does not pick up any sign of infection through a scan, though you have any of the following, you may be compromised: noticeably slower operating speeds; freezing of processes and the screen randomly for a few seconds; increase in pop-up interference; unsolicited plug-in downloads; increase in spam. If these symptoms are noticed disconnect from wired and wireless internet connections immediately and any network share connections. Back up all personal files on an external drive like a USB Flash or Cloud storage. For instructions on how to uninstall TeslaCrypt manually using Safe Mode with Networking, see below. Alternatively, use an anti-virus program that specifically recognizes this variant. When the infection is removed, if all your files appear to be okay (they have their familiar extensions), it’s worth doing a system restore. If files have been modified, then it’s time to try a to recover copies from system back-up copies. Programs like Photorec or R-Studio can be used and if this doesn’t work, the shadow volume copy may have originals that can be restored – Shadow Explorer or similar programs can help with this.

How to Decrypt Files Encrypted by Teslacrypt?

METHOD 1: Decrypt Teslacrypt using TeslaDecrypter tool

Luckily, there is a great, free decryption utility, that can decrypt and recover all your encrypted files. You can download it from here: http://labs.snort.org/files/TeslaDecrypt_exe.zip .Please, back up your encrypted files before you use this utility.

To decrypt Teslacrypt encrypted files, please follow these steps:
STEP 1: Unpack the .zip archive to your C: drive.
STEP 2: Find a “key.dat” file in %AppData% folder. If you can not find this folder, check this article. Copy “key.dat” file to the folder, where you unpacked TeslaDecrypt_exe.zip archive.
STEP 3: Run “cmd.exe” command to open a Command prompt (how to do this).
STEP 4: Go to the folder, where you unapcked the decrypter, using “CD ” command in the Command prompt (how to do this).
STEP 5: Run the tool, specifying the directory, containing encrypted files.

Example: “TeslaDecrypter.exe /dir C:\my_encrypted_files”

STEP 6: Run “TeslaDecrypter.exe /deleteTeslaCrypt” to delete the Teslacrypt dropper from your computer.

IMPORTANT! If the file extensions of the encrypted files are .ezz, not .ecc, please , rename FIRST rename the files to have .ecc extension, then run the decryption utility!

METHOD 2: Decrypt Teslacrypt using TeslaCrack free tool.

If METHOD 1 did not work with your encrypted files, here is the newest free Teslacrypt decryption tool named TeslaCrack. Please note, that this method is very long and requires some higher computer knowledge (and patience).

Follow these steps to decrypt your files:

STEP 1: Download TeslaCrack from here: https://github.com/Googulator/TeslaCrack
STEP 2: This tool need Python environment to work. If you do not have Pyhton (most of the users do not have it), download Python from here: https://www.python.org
STEP 3: Add Python to your PATH (learn how to do this)
STEP 4: Open a Command prompt with Administrative rights (learn how to do this)
STEP 5: At the command prompt, execute the following commands (one per line):

python -c “import urllib2; print urllib2.urlopen(‘https://bootstrap.pypa.io/ez_setup.py’).read()” | python
easy_install pip
pip install pycryptodome
pip install ecdsa (optional, needed only for unfactor_ecdsa.py)
pip install pybitcoin (optional, needed only for unfactor_bitcoin.py)

STEP 6: Install a program for factoring large numbers. For this purpose, I recommend using Msieve and the factmsieve.py wrapper.
STEP 7: Collect all encrypted files from your computer and put them into the same folder as unfactor.py and teslacrack.py (the working folder)
STEP 8: Check if all file extensions are “.vvv”. If they are something different, change them to “.vvv”.
STEP 9: In the command prompt run the following command:

python teslacrack.py

The output of this operation should be two HEX numbers. The first one is your AES public key.
STEP 10: Convert the HEX number to decimal using this utility
STEP 11: Open this site and put your number in the search filed. If you are lucky, it has already been factored and you can skip the next step.
STEP 12: Factor the AES key printed by teslacrack.py: Run msieve in the command prompt with the following parameters:
msieve -v -e 0x STEP 13: To reconstruct the AES private key, run this command in the command prompt:
python unfactor.py This command should print out your private AES key.
STEP 14: Open teslacrack.py with Notepad and add your public and private AES keys to the known_keys array.
STEP 15: Repeat STEP 8. You will get the decrypted file next to the .vvv file (check if it was decrypted successfully). If not, redo STEP 13 and STEP 14 with the other candidate keys from unfactor.py
STEP 16: From the command promt run this command:

python teslacrack.py C:\

This should decrypt all your files.

That’s it. All your encrypted files should be back to their original versions.

Prevent TeslaCrypt Ransomware

Good working practice is the best manual way to avoid this and other virus infections, though your security software can give you extra insurance against ever advancing threats. Always choose the best, with up-to-the-minute updates and support.

  • Adjust the settings/controls of your browser to maximize security and threat warnings;
  • Always browse sensibly and and use Advance/Custom download options for any freeware (go directly to creator’s ‘site if possible);
  • Never open dubious files or unfamiliar e-mails with attachments; don’t click on unsolicited pop-ups;
  • Disable RDP if not in use (or secure it);
  • Secure any network sharing for access to Authenticated Users only;
  • Research Windows Software Restriction Policies – settings that can block executable files from running when located in specific paths (see the Microsoft website);
  • Regularly make back-ups of files and copy into external drives or Cloud storage.

Be hygienic in your on-line operating, and get some heavy-duty protection to guard against this and other viruses – don’t become another customer of the growing ransomware market!

SHARE
Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.

NO COMMENTS

LEAVE A REPLY

Time limit is exhausted. Please reload CAPTCHA.