Powered by Blogger.

TeslaCrypt 2.2.0 Removal and Decryption

One of our workstations was hit with the Teslacrypt ransomware. We could tell because all the documents had been encrypted and the file extensions were changed to VVV. The most secure thing to do with any malware infection is to wipe the computer and restore from back. However, that may not be an option for some. In our situation, the user did not have any backups of the documents on his local computer. So we needed to identify the way to remove the ransomware and decrypt the file. A huge thanks to Googulator for the python scripts that accomplish the decrypting. https://github.com/Googulator/TeslaCrack. We are going to follow the instructions found there, with some adjustments that I put together from the sites in the references section. There are a lot of varied instructions out there, but here is what worked for us.

Steps (25 total)

1 . Clean the teslacrypt ransomware from the computer
Reboot into safe mode and run Malwarebytes scan, remove all malware found. I would recommend using multiple trusted malware cleaners to make sure it is gone. Reboot when it asks too. This should cleanup the virus. Next we will decrypt the documents.

2. We are going to following instructions here: https://github.com/Googulator/TeslaCrack.
We will use a python script to identify the AES public key and then find the factors of that number and then identify the private key and decrypt one of the files. Once we have a successful decryption then we can apply it to the entire computer. Use another computer with as fast as and as many processors as possible.

3. Download https://github.com/Googulator/TeslaCrack/archive/master.zip and extract to C:\decrypt

4. Copy one of the encrypted VVV documents to this folder.

5. Download Python 2.7 64-bit release. https://www.python.org.
Install as administrator and make sure to select the option to add Python to your PATH during the install.

6. At a command prompt with administrative rights, execute the following commands:
python -c "import urllib2; print urllib2.urlopen('https://bootstrap.pypa.io/ez_setup.py').read()"; | python 
easy_install pip 
pip install ecdsa (optional, needed only for unfactor-ecdsa.py)

7.  Run: python teslacrack.py .
My results: 
Cannot decrypt ./VENDOR LISTING BY CATAGORY.xlsx.vvv, unknown key 
Software has encountered the following unknown AES keys, please crack them first using msieve: 
A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0 
found in ./VENDOR LISTING BY CATAGORY.xlsx.vvv 
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder: 
5ECA19D475A313AC3DEF915CE6FA37BE012CD1676590C8F253135A3AD92345B78C32C46DB3246ED84A7B9A8C62F1A13D2AF08F09FFB3551701E7B75CCC79457C 
found in ./VENDOR LISTING BY CATAGORY.xlsx.vvv

8.  Copy the first number to the clipboard
I copied 
A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0

9. Go to http://www.mobilefish.com/services/big_number/big_number.php and convert that Hexadecimal number to decimal.

This one converted to: 
8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640

10.  Now we need to factorize that number. Find all the factors. Go to http://factordb.com/ and enter your number.
I entered 
8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640 and press factorize. If you are lucky it will show FF on the left side. That means fully factorized and it will list all the factors. If that is the case, you wont need to use yafu below. You can skip down to unfactor.py. 

If it shows CF or C, then we need to run yafu to find the factors first. As you find the factors, you can come back to factordb.com pull up your number and enter the factors in the Report field at the bottom. This is what I did for my number and now it shows as FF. This is the part that can a few hours or days or weeks depending on the complexity of the number. When done we will have a bunch of numbers (factors) that we will use to get the private key. I tried msieve, yafu, and variations of these. I had huge issues getting this to work. Some of the problem was the instructions are incomplete and didn’t give the full syntax. Finally I got yafu to work. Here is what I did.

11. Download GGFNS.zip from this link http://www.mersenneforum.org/showthread.php?t=20779 and unzip into C:\ggnfs-bin

12. Download yafu-x64 from http://sourceforge.net/projects/yafu/ and unzip into C:\ggnfs-bin

13. Open a command prompt and go to C:\ggnfs-bin

14. Run yafu-x64.exe “tune ()”

15. Edit yafu.ini. Change “ggnfs_dir=../ggnfs-bin/” to “ggnfs_dir=C:/ggnfs-bin/” (without quotes), save, and close.

16. Run yafu-x64.exe “factor(YOUR DECIMAL NUMBER HERE)” –v –threads 4
example: yafu-x64.exe 
“factor(8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640)” –v –threads 4

17. This is the part that takes forever. When done it will list all the factors in the factor.log file. Open that file.
At the start of your factorization it will find the small factors quickly and listed as: div: found prime factor = x. Search the log file for “found prime factor” 
Also search for “prp”. It will find lines similar to this: prp32 = 25647545727466257054833379561743

18. Report all factors found into your number at http://factordb.com. Once you have all the numbers reported, submitted, it will change to FF. You then know you have all the factors.

19. Go to the command prompt and to C:\decrypt

20. Run python unfactor-ecdsa.py <name of encrypted file> <primes from previous step, separated by spaces>

It will output your AES private key. Here is what mine looked like:

unfactor-ecdsa.py VENDOR.xlsx.vvv 2 2 2 2 3 5 367 12757 25647545727466257054833379561743 75938537910569673895890812481364802067167 3858259146292441335085163995598583072203543699186432807503634945432314399 

Found AES private key: 
b'\xbd\xa2\x54\x3a\x21\x75\xb9\xf3\x0d\xf6\xf3\x09\x60\xec\x08\x2f\x3e\xc5\xef\x61\xd4\x03\xa3\x5b\xc1\x47\x7e\x10\x47\x0a\x7c\x88' (BDA2543A2175B9F30DF6F30960EC082F3EC5EF61D403A35BC1477E10470A7C88)

21. Edit teslacrack.py and add your public and private key to the known keys
On line 24 I added:
'A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0': b'\xbd\xa2\x54\x3a\x21\x75\xb9\xf3\x0d\xf6\xf3\x09\x60\xec\x08\x2f\x3e\xc5\xef\x61\xd4\x03\xa3\x5b\xc1\x47\x7e\x10\x47\x0a\x7c\x88',

22. Run python teslacrack.py .
It will decrypt the file.

23.  Run python teslacrack.py C:\ to decrypt the whole drive.

24.  Once done, search for all “*.vvv” and “howto_restore*” files and move or delete them.
It should now be clean and decrypted

25. Backup, Backup, Backup!
Make a backup of your important files and your whole system if possible. Then in the future if something like this happens you can restore from backup instead of spending countless hours trying recover them.

Conclusion

Hopefully these additional steps will help others. There were a lot of steps plenty of issues as I went along. So, if you not something that is incomplete let me know and I will update these steps. Perhaps together we can make this how-to even more complete. Thanks!
    Blogger Comment
    Facebook Comment