Powered by Blogger.

Ransomware TeslaCrypt

The server TeslaCrypt close and developers have released the master key to decrypt the data useful to all versions of TeslaCrypt . For more information please click HERE The article Ransomware Ransom32 I already talked about ransomware, a type of malware that takes control of the system (blocking access and / or cifrandone data) and requires a ransom for the release. In this article I will deal another kind of ransomware quite widespread, TeslaCrypt , pausing on the recovery of encrypted data The first reports of this ransomware date back to February 2015. The weakness of the first versions of TeslaCrypt was the management of the encryption key.The key, in fact, was stored on the disk of the infected system by making relatively simple data recovery. Later versions of the ransomware, in addition to using a more sophisticated encryption (keys are generated using the elliptic curve algorithm ECDH Elliptic curve Diffie-Hellman ), present any measures that prevent the identification of the servers to which the malware connect (command and control server). The servers are on the TOR network and ransomware communicates with them through tor2web. In general the mode of operation of TeslaCrypt is similar to that of most other ransomware outstanding: once covertly installed on the victim's system proceeds to encrypt the data with the AES system. Ransomware is spread through email attachments or via special web pages. 

After an encrypted Ransomware file adds a new extension that varies depending on the version of the malware (.xxx, .ttt, .abcor, .micro, .etc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .vvv) also it needs to cancel the Volume Shadow copies and restoration points. Once the encryption of the victim's documents shows the ransom message and creates the following files on the desktop and in other folders:Howto_Restore_FILES.BMP , Howto_Restore_FILES.HTM , Howto_Restore_FILES.TXT . These three files contain information on how to pay the ransom in order to recover the data. Have been identified and analyzed several variants in circulation TeslaCrypt , most of them create an executable file in% AppData% (eg. C: \ Users \ <username> \ AppData \ Roaming \ <name file.exe >) while the registry keys that are modified are 
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ 

Here there should be a reference to the .exe files in% AppData% HKCU \ Software \ HKCU \ Software \ xxxsys the file extensions affected by TeslaCrypt are: 

sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13,. t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .CAS, .svg, .map, .wmo, .itm, .SB, .fos, .mov, .vdf, .ztmp, sis, .sid , .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk,. rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .See, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mp QGE, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, sav, .lbf, asl, BIK, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, js, css, .rb, .png, .jpg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d , .rw2, .rwl, .raw, .raf, .orf, .NRW, .mrwref, .MEF, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf,. arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx , .doc, .odb, .odc, .odm, .odp, .ods, .odt 

How to remove the ransomware TeslaCrypt could infiltrate and install other viruses within the system.Before groped the recovery of data is necessary to remove the ransomware. To remove it you can run the system scan with an updated antivirus. A good ally in these cases is an antivirus with which to boot the system as Kaspersky Rescue Disk that you can download from THIS PAGE

You download the image you can burn it to CD \ DVD or create a bootable flash drive using the tool rescue2USB .When booting with Kaspersky Rescue Disk you can make sure that the antivirus automatically download updates from the Internet before proceeding to scan the entire system. After the scan, and delete any virus found, start the system in Safe Mode and then install and run a scan with a version of Malwarebytes and / or SpyHunter updated. Data Recovery To decrypt the data you need to recover PrivateKeyBC (private key used by TeslaCrypt as the master key). Before you can go back to PrivateKeyBC you must obtainSharedSecretBC (key calculated by PrivateKeyBC, PublicKeyBC and TeslaPublicKey) and PublicKeyBC (public key for bitcoin address).Here below the necessary steps to recover the PrivateKeyBC . Step 1: Obtaining TeslaDecoder and Yafu tool The first thing to do is to get the tools needed: TeslaDecoder and Yafu . The tool can be downloaded from the following link: TeslaDecoder Yafu The files are compressed (.zip) so you need to proceed to their extraction. If you already have these tools it is advisable to re-download them so be sure to use the latest available version. 

The following steps are also indicated, in English, within the file instructions.html supplied with TeslaDecoder (developed by BloodDolly of BleepingComputer ). Step 2: Perform TeslaViewer to extract PublicKeyBC and SharedSecret1 * PrivateKeyBC Within TeslaDecoder are three executable files: TeslaDecoder.exe , TeslaRefactor.exe andTeslaViewer.exe . Perform TeslaViewer.exe , click the button Browse and select a file encrypted by TeslaCrypt . TeslaViewer extracts files from a range of information. The fields that interest us are PublicKeyBC and SharedSecret1 * PrivateKeyBC .

Figure 1 - TeslaViewer
Click on the button Create work.txt to save all the information in the text file work.txt (the text file will be created in the same folder containing TeslaViewer.exe). Step 3: Factoring SharedSecret1 * PrivateKeyBC through factordb.com Now we need to proceed with the prime factorization of the decimal value of SharedSecret1 * PrivateKeyBC . This may take a long time but the site Factordb.comcomes to us providing numerous pre-calculated values. We open the file Work.txt created with TeslaViewer and copy the decimal value of SharedSecret1 * PrivateKeyBC

Figure 2 - Work.txt and SharedSecret1 * PrivateKeyBC
So posizioniamoci on site Factordb.com , paste the copied value in the box provided and click on factorize! 
If the column Status we find the value FF then we are lucky and we just have to create a text file and copy the factors within the files (one per line factor). It may happen that some factor to appear as 5933269477 ... 11 <154> in these cases we need to click on the factor to display the entire value. The number in angle brackets (154) indicates the number of digits that make up the value. At this point we can proceed to Step 5 . 
If, however, the status column, you see the value CF then we must proceed in precisely the factorization and proceed to Step 4 .

FIG 3 - factordb.com

Step 4: Factoring SharedSecret1 * PrivateKeyBC through Yafu
If we were not lucky with the site factordb.com we must proceed independently with the factorization. This may take a long time even on powerful PCs. For the factorization will use the tool Yafu we downloaded in Step 1 . First we proceed to the optimization tool based on our system. Perform tuneX86.ba t (for 32-bit systems) or tuneX64.bat (for 64-bit systems) and wait until the end. The optimization process may take a little 'time and at the end you will see the message Finished Tune .

Figure 4 - Optimization Yafu: tuneX86 and tuneX64

After the optimization, open the file works.txt and copy the decimal value of SharedSecret1 * PrivateKeyBC as shown in Step 3 . 
Launch factorX86.bat (for 32-bit systems) or factorX64.bat (for 64-bit systems). When prompted to paste the value SharedSecret1 * PrivateKeyBC previously copied and press enter.

Figure 5 - FactorX86 and FactorX64: SharedSecret1 * PrivateKeyBC

At this point you are asked how many threads intended to be used to calculate the factorization. The number of threads in your system can be viewed from Task Manager. It is advisable to specify the number of logical processors -1 (ie. If you have a dual core CPU with four logical processors are advised to enter 3) so as not to block the station. The factorization can take a long time (even days) depending on the power of the system and the number to be factored.

Figure 6 - FactorX86 and FactorX64: Threads

At the end the results as shown in the figure FIG 7 are displayed. 

Figure 7 - FactorX86 and FactorX64: Results

Copy all of the factors and paste within a text file.

Figure 8 - Result factorization

STEP 5: TeslaRefactor
We almost reached the end. In the folder TeslaDecoder start the tool TeslaRefactor . The box where the message is indicated <Put decimal factors here> paste the values provided by the prime factorization (those provided by FactorDB.com or those calculated using Yafu ). In the field of Public Key (hex) to copy the value PublicKeyBC inside the works.txt file. Click Find Private Key to compute the private key.

Figure 9 - TeslaRefactor

Upon completion, we take note of the private key, private key (hex) , which will help us to decrypt the data.

Figure 10 - TeslaRefactor Private Key

In the event that problems arise in the calculation of the private key, compare field values Product (dec) and Product (Hex) with the respective values of SharedSecret1 * PrivateKeyBC work.txt within the file. If the values match, then remove the flag to the item Optimization and click again on the button Find Private Key . Step 6: Decrypt data via TeslaDecoder Now that you have the private key can proceed to decrypt your files using TeslaDecoder . Start TeslaDecoder as administrator (right click mouse button onTeslaDecoder.exe and select Run as administrator ). 

Figure 11 - TeslaDecoder

Click on the button key September . This will open the Set custom key for decryption (see Figure 12). In the field Key (hex) to specify the private key previously retrieved and Extension select the extension of the encrypted file that you want to recover and clickSet key to return to the previous screen.

Figure 12 - Set key TeslaDecoder

Going back to the previous screen you will notice that the buttons Decrypt Folder and Decrypt All are enabled. The first allows us to act on a specific folder and its subfolders, the second one performs a check on the entire system by recovering encrypted files. Before proceeding we are asked whether to delete or retain the encrypted copy of the file (if you have important data should also hold the encrypted version of our files in case the operation is not able to recover its contents) properly.

Figure 13 - TeslaDecoder delete encrypted files

The recommendations to prevent the loss of data are the usual: have a good antivirus and keep it up to date, be wary of sites and suspicious emails, make frequent backups of data on multiple external devices and not permanently connected to the system. For those who're backing up to cloud providers typically allow you to maintain multiple "versions" of the file. In these cases, if the file is encrypted by some ransomware, you should be able to recover an earlier version. If this article is a help to recover your data and want to offer me a coffee, you can use the special link of donations (the transactions are managed by paypal). Update of 02/05/2016 At the moment for as TeslaCrypt 3 encrypted files with .ttt extension .xxx, .micro .mp3 and there is no method to extract the key given that a different algorithm is used. Those affected by that TeslaCrypt variant can make a backup of waiting encrypted files that a solution is found. The TeslaDecoder tool is constantly updated. Ransomware can still be removed by following the steps outlined in the article. I'll update this article in case it is found the method to recover data encrypted by this variant of ransomware. Refreshing of the 15/02/2016A new variant of TeslaCrypt 3.0 renames the files with .mp3. Update of 18/03/2016Still bad news. It was not yet found any way to decrypt files with .micro and .mp3 extension and, the day 03/14/2016, is spreading a new version of TeslaCrypt: TeslaCrypt 4.0. In this latest version the files are encrypted, but the extension is not changed. Such behavior will make it difficult to recognize at a glance the encrypted files on the disk. In this new version of ransomware also it fixed a BUG who corrupted files greater than 4GB in size. The ransomware executable file is created in % UserProfile% \ Documents \ [caratteri_alfanumerici_random] .exe The registry keys involved areHKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \ _ [caratteri_alfanumerici_random]HKEY_CURRENT_USER \ Software \ HKEY_CURRENT_USER \ Software \ Data update of 04/26/2016from about a week is circulating a new variant TeslaCrypt: TeslaCrypt 4.1b . Even this new variant of ransomware has been analyzed by BloodDolly of BleepingComputer and features some small changes compared to previous versions:The data file is now % MyDocuments% \ desctop._ini The file containing the instructions has a slightly larger size than the versions the previous ransomware. % UserProfile% \ Desktop \ -! Recover! -. Txt [random characters] ++ % UserProfile% \ Desktop \ -! Recover! - [Random characters] ++. Htm % UserProfile% \ Desktop \ -! Recover! - [ random characters] ++. Png % UserProfile% \ Documents \ -! recover! -! file! -. txt the executable of ransomware is created with a random name in Docs: % UserProfile% \ Documents \ [random characters] .exe once finished TeslaCrypt data encryption, contact the command and control server by sending a POST encrypted message:

Sub = Ping & dh = [PublicKeyRandom1_octet | AES_PrivateKeyMaster] & addr = [bitcoin_address] & size = 0 & version = 4.1b & OS = [build_id] & ID = [?] & Inst_id = [victim_id] Even in this latest version to encrypted files is not added to any extension.Update 05/04/2016 The BloodDolly of BleepingComputer user has identified and analyzed a new version of TeslaCrypt: we are at version 4.2. The new version brings some minor changes. No message appears to the user has been changed and only essential information to proceed to the payment of ransom are displayed. The code has been optimized and compiled using a different compiler than the one used in previous versions of ransomware. The new version of TeslaCrypt executes the code injection into svchost.exe to eliminate the shadow copies (operation that is performed both before and after the encrypted data). The files created by TeslaCrypt 4.2 is % UserProfile% \ Desktop \! Recover! - [5 random characters] ++. HTML % UserProfile% \ Desktop \! Recover! - [5 random characters] ++. PNG % UserProfile% \ Desktop \! Recover! - [5 random characters] ++. TXT % UserProfile% \ Documents \ -! Recover! -! file! -. txt % UserProfile% \ Documents \ [random] .exe ransomware modifies the following key log to start at every logon

[HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] serv [5 random characters] C: \ Windows \ System32 \ cmd.exe / C START "" "[malware] .exe"

Update of 05/19/2016The TeslaCrypt servers close and developers have released the master key to decrypt the data useful to all versions of TeslaCrypt. For more information please click HERE
    Blogger Comment
    Facebook Comment