This post was authored by: Andrea Allievi, Earl Carter & Emmanuel Tacheau
Update 4/28: Windows files recompiled with backward compatibility in Visual Studio 2008
Update 5/8: We’ve made the source code available via Github here
Update 6/9/2016: We’ve released a tool to decrypt any TeslaCrypt Version
After the takedown of Cryptolocker, we have seen the rise of Cryptowall. Cryptowall 2 introduced “features” such as advanced anti-debugging techniques, only to have many of those features removed in Cryptowall 3. Ransomware is becoming an extremely lucrative business, leading to many variants and campaigns targeting even localized regions in their own specific languages. Although it is possible that these multiple variants are sponsored by the same threat actor, the most likely conclusion is that multiple threat actors are jumping in to claim a portion of an ever increasing ransomware market. One of the latest variants is called TeslaCrypt and appears to be a derivative of the original Cryptolocker ransomware. Although it claims to be using asymmetric RSA-2048 to encrypt files, it is making use of symmetric AES instead. Talos was able to develop a tool which decrypts the files encrypted by the TeslaCrypt ransomware.
At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.
Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.
We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:
- 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
- 6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4
Both samples implement the following hashing algorithms:
- SHA1
- SHA256
- RIPEMD160
- BASE58
- BASE64
Infection Vector And Setup Function
This ransomware is usually distributed as an email attachment or through websites that redirect the victim to the Angler Exploit Kit. In our analysis, the exploit kit delivered a malicious Flash object containing an exploit against CVE-2015-0311. The payload for this exploit was a TeslaCrypt sample.
We are only going to give a quick introduction on the dropper’s architecture and the setup function because this functionality has been widely covered.
Most TeslaCrypt samples use COM+ sandbox evasion techniques. For example, the dropper we analysed uses simple detection code that verifies if the “URLReader2” COM interface has been correctly installed in the DirectShow filter graph list:
If the check passes, the real dropper is extracted and executed using a well-known method that makes use of the ZwMap(Unmap)ViewOfSection API functions to unmap the original PE memory image and re-map another image file. The final unpacked executable locates specific Windows directories such as the Application Data directory, and builds support files like the “key.dat” file, and files to store decryption instructions. The executable also adjusts its own privileges (adds “SeDebugPrivilege”) and copies itself using a random file name to the user’s Application Data directory. A new process is then spawned and execution is transferred to it. The original dropper file is deleted. The main malware window is created and five threads are spawned, followed by the window message dispatching cycle.
TeslaCrypt threads perform the following:
- Delete all system Volume Shadow Copies by executing “vssadmin.exe delete shadows /all /quiet” command
- Open the “key.dat” file and recover encryption keys. If “key.dat” file doesn’t exist, create the keys and store them in an encrypted form in the “key.dat” file.
- Send the new master encryption key to the C&C server through POST request (the latest sample that we have analysed contains the following C&C server URLs:
- 7tno4hib47vlep5o.63ghdye17.com
- 7tno4hib47vlep5o.79fhdm16.com
- 7tno4hib47vlep5o.tor2web.blutmagie.de
- 7tno4hib47vlep5o.tor2web.fi
- Implement anti-tampering protection: every 200 milliseconds, TeslaCrypt enumerates all running processes and if a process with a filename that contains any of the words below is found, that process is terminated using the TerminateProcess Windows API function
- taskmgr
- procexp
- regedit
- msconfig
- cmd.exe
File Encryption – Introduction
After the initialization routine and the deletion of the Volume Shadow copies, the sample creates the “key.dat” file where it stores all the encryption keys. The dropper from March 2015 calculates at least 2 different main keys: a payment key and a master encryption key. The other dropper implements the concept of an additional key known as the “Recovery key’.
“GetAndHashOsData” is the function responsible for creating the base buffer for the generation of all keys. At startup it acquires the following info:
- the global workstation’s LAN network statistics, using the NetStatisticsGet API function
- 64 random bytes generated by Windows Crypto functions
- all heap descriptors of its own process
- all active process descriptors and the threads descriptors of each process
- all loaded modules in each process
- the workstation’s physical memory information
Once the data is acquired, it generates a big array of SHA1 values, one for every 20 bytes of acquired data. At the end it calculates and stores a global SHA1 value for the entire array, in a symbol that we have called “g_lpGlobalOsDataSha1”.
With these 2 items, the “FillBuffWithEncryptedOsData” routine is able to fill a generic buffer with the calculated data, in a pseudo-random manner. A master key and a payment key are generated using this function (each key is 32 bytes wide), their SHA256 is calculated and finally a custom algorithm is used to shift left and shift right the 2 keys. The two shifted SHA256 values are stored in the “key.dat” file.
The Key File
The “OpenKeyFileAndWrite” routine tries to open the “key.dat” file, located in the user’s Application Data directory. If it doesn’t exist, it generates the 2 master keys (3 in case of the most recent dropper) as well as other keys, and stores them in the key file.
Here is a little schema of the layout of the “key.dat” file:
* = We currently don’t know precisely how this value is used by TeslaCrypt
The latest version of the dropper creates a “RECOVERY_KEY.TXT” file inside the user’s document directory. It does this to achieve a particular goal: if the victim workstation is offline or if a firewall blocks the communication with the C&C server, the dropper will proceed with the destruction of the master key inside the “key.dat” file, after the encryption of all files has been completed. To recover the files, the user would have to connect to the threat actor’s TOR website and provide the recovery key. The threat actors use a custom algorithm to to recover the master key from the recovery key:
The recovery key file contains 3 pieces of information in an human-readable form, separated by a carriage return character:
- The Bitcoin address
- The payment key ID (32 hex digits)
- The recovery key (64 hex digits)
The File Encryption Algorithm
File encryption is performed in a dedicated thread. The code for the encryption thread takes the shifted master key, calculates its SHA256 hash and starts to enumerate all files of the victim workstation (filtering by extension type, Tesla Crypt supports over 170 different file extensions).
“EncryptFile” is the function that manages the entire file-encryption process. It:
- generates a 16-bytes Initialization Vector for AES, using the GetAndHashOsData API function
- reads the target file
- initializes the AES encryption algorithm through the creation of the AES context data structure
- finally encrypts the contents of the file using an AES CBC 256-bit algorithm implemented in the “EncryptWithCbcAes” function.
When the process is complete, the new encrypted file is created. The new file contains a small header (composed of the AES Initialization Vector in its first 16 bytes followed by the original file size in the next 4 bytes), and then the actual encrypted bytes.
The pop up window displays misleading information: the encryption method is a symmetric AES, and not an asymmetric RSA-2048 as stated by TeslaCrypt in the screenshot above. As proof that TeslaCrypt is truly using symmetric AES and not asymmetric RSA, we provide for a decryption utility capable of decrypting all the files encrypted by this ransomware (provided you have the master key).
The Talos TeslaCrypt Decryption Tool
Our decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used for file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.
To use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.
Here is the list of command line options:
- /help – Show the help message
- /key – Manually specify the master key for the decryption (32 bytes/64 digits)
- /keyfile – Specify the path of the “key.dat” file used to recover the master key.
- /file – Decrypt an encrypted file
- /dir – Decrypt all the “.ecc” files in the target directory and its subdirs
- /scanEntirePc – Decrypt “.ecc” files on the entire computer
- /KeepOriginal – Keep the original file(s) in the encryption process
- /deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (if found active in the target system)
Back up your encrypted files before you use this utility. Provided without any guarantees.
Link to the Tool
The TeslaCrypt Decryption Tool is provide as-is and is not officially supported. The user assumes all liability for the use of the tool.
Windows binary: https://github.com/vrtadmin/TeslaDecrypt/tree/master/Windows
IOCs
Hashes:
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4
IP Addresses:
38.229.70.4
82.130.26.27
192.251.226.206
Domains Contacted:
7tno4hib47vlep5o.63ghdye17.com
7tno4hib47vlep5o.79fhdm16.com
7tno4hib47vlep5o.tor2web.blutmagie.de
7tno4hib47vlep5o.tor2web.fi
ThreatGrid has also added a behavioral indicator to identify TeslaCrypt.
Conclusion
Analysing TeslaCrypt ransomware was a challenge. All the encryption and hashing algorithms in the dropper made the analysis pretty difficult. As we have seen, sometimes the threat actors authors even lie. Nevertheless, ransomware continues to plague users. Incorporating a layered defense is critical to combating this type of threat before it has the chance to encrypt files. A good system backup policy is the best way to recover files that have been hijacked.
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
ESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their campaign.
Oh my, do you guys ROCK!
I had this bloody take over my PC, killed all my music, videos, pdfs and photos etc was well hacked off, fortunataly I had a backup of everything on external hard drive (not plugged in at the time ells that would of been done as well) so only lost a few phone photos, did a fresh re-install of Windows and other software) to be sure it was gone and all was good all be it half a day to install updates to Windows 7 ultimate 64 bit ! A note to others always backup your data if you want to keep it safe, do this on 2 drives and stick 1 round your folks house periodicly rotate them to keep both up to date, just incase of fire or flood etc. I learnt the hard way 10 years back, will never make that mistake again ! its not a question of IF but WHEN !
Hey guys
I have been infected by this evil ransomware and was about to pay for decryption when I found your awesome blog.
I have tried running the Windows binary .exe but the master key has gone.
How confident are you that you will be able to write an algorithm to recover the master key from the recovery key and if so how long will it likely take?
Thanks
That is extremely unlikely. The vulnerability here is that the threat actor implemented the encryption algorithm using symmetric keys. If the key is missing this method will not work. I would recommend you restore from backup.
Hi Craig
Foolishly I do not have a backup. I had all of my files on a NAS drive which I had mirrored thinking that all I was protecting against was a drive failure or hackers trying to steal information. I have thousands of photos that are very important to me so it looks like I have no choice but to pay the ransom. As soon as I get my files back I shall be backing up to the cloud and an external hard drive.
Remember even if you pay the ransom there is no guarantee the files are going to decrypt properly – there is also no guarantee that the malware is actually removed.
True but I don’t have much choice. I have run McAfee Stinger to remove the Malware. I will reformat my HDD and start again as an additional precaution. So long as I get my files back I will be relieved.
Why not run data recovery to restore the key.DAT file? Assuming that this file is not sdeleted.
I am not familiar with that product. If it has the concept similar to quarantined files you may want to check there for the keyfile. It is possible it was classified as malware since the malware produced it. Good luck.
Thank you for providing a glimmer of hope in regards to crytolocker. I have a school that was devastated by the event.
This tool we developed is specifically for TeslaCrypt. It will not work for CryptoLocker.
Is it possible to get a copy of TeslaCrypt for testing purposes?
Possibly. Search for the hash on malwr.com.
I do the same thing myself to test new firewall and av signatures, but on a segregated network.
Is there any ransomware using RSA Asymmetric enrcyption?
I tried to run the WIN binary but got back error
“Not valid WIn32 application”
an sugest please
Hi Andy,
It is a CLI utility. You will need to verify the sha256 and run it from the command line.
Hi,
I tried using you tool but on infected machine (windows xp) I recive error TeslaDecrypter is not valid win32 application. Then I copied key.dat file from infected machine on other pc with windows 7 64bit. When I tried run the tool I recive “Warning! The “key.dat” file doesn’t include the master key.”…
Any suggestion for next steps?
Thanks,
Dushan
It means that your “key.dat” file doesn’t include your master key. That key has been already encrypted in the recovery key (and sent to the C&C server) with an Elliptic Curve cryptography.
Andrea
Andrea,
If you determine it’s impossible to restore the master key from the recovery key alone (e.g. if it’s encrypted via ECIES or some other asymmetric cipher), do you intend to update the blog post with the technical details of your findings?
(BTW great work!!)
Hi.
I found the key.dat and recovery_key.txt files, created at the same time.
The tool doesn’t work copying the key.dat file in tool’s directory.
Can i obtain a result with the recovery_key file?
thanks.
Great, works like charm, only few files (not important like eula.xxx.txt.ecc) not imported. All my files was decrypted. key.dat file was complete with all keys 🙂
“Warning! The “key.dat” file doesn’t include the master key.”
Still no solution for this case or?
Hi Cisco
Can you please update your script to Decrypt *.EZZ files too?
I have to rename my .ezz files in order to decrypt them.
I’ve got the key.dat file
I have the same problem. One of our computers is still on XP and the virus encrypted the local hard drive and the backup which was attached to the computer. The decryption tool states to use the command line option, however whenever you press a key the decryption tool closes. Any help would be GREATLY appreciated.
This may be due to the version of visual studio it was compiled with. We’ll be updating the windows binary shortly with a older more backwards compatible version that should work with XP and newer.
Craig,
Great thank you very much for your quick response it is much appreciated.
I cannot run it on XP? Please assist. I have a huge amount of files that have been affected. Will appreciate your assistance.
How do you verify the SHA 256, keep getting an error indicating that its not a Valid win32 application ?
I don’t know how to verify SHA 256 in win XP same problem here. If I extracted files and copy to USB stick +key.dat and open in
WIN7 work ok but seems I don’t have master key in key.dat
In win XP I could not open allways not valid for win32…
I just tested newer version I can confirm that work in XP.
I can see the report in created TeslaDecrypter TXT file
20:15:37 – ReadKeyFile – Warning! The master key inside the “C:\Documents and Settings\….\Application Data\key.dat” file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.
Many thanks to your great work please keep going to find master key…
If you have the original file and an encrypted file would it be possible to find out the master key?
Reporting a similar issue to this. Client’s files have been locked and extension suffix added as .EZZ
Key.dat is available and in the same reported location. All other symptoms are present.
UPDATE – Renaming encrypted files from .EZZ to .ECC is the fix. The Cisco tool doesn’t recognize new variant of .EZZ
Renaming ezz to ecc has not worked in my case
We are having the *.ezz variant, and the tools says it’s been recovered, but files still does not work. Any updates/idea?
No it does not work!
For those seeking help – ignore Will’s spam
That software does not decrypt files. It doesn’t even remove the malware … unless you pay!
(You’ll also have difficulty removing the software if you do install it, even the free version)
The teslacrypt malware can be removed for free using something like malwarebytes anti-malware, and then hopefully this cisco tool will then decrypt the files for you … all for no charge.
Hi Nathan,
I have spammed that comment. We cannot verify the validity of 3rd party tools.
Hello Craig, Please assist with “file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool” error. I have a so many files i need to recover.
Thanks in advance.
Hi Fahim,
At this point in time the tool does not have that functionality.
Hi Craig,
Are you still working on implementing this functionality?
Hi Craig,
We just got wacked by this thing and don’t have a viable key.dat file. Are you guys working on having the tool be able to restore files with the stripped down key?
My key.dat file has a 128 char human readable block that looks like a key, but the decrypter says it can’t find the master. Is there some way to find the 64 char sequence that is the master key?
For the sake of completeness, by earlier comment is in reply to post by Will Read April 28, 2015 at 10:33 am
Do not confuse with the great work being done here 🙂
Be aware we’ve updated the Windows files. They have been recompiled with backward compatibility in Visual Studio 2008.
Thank you Craig.
I can confirm this latest tool works in XP.
Unfortunately for me, the key.dat file does not contain the Master Key. I guess the clue was there in that the file was last modified once all my other files were encrypted.
Have you attempted to use a software data recovery tool to recover this file?
Dear Craig,
How do i solve the below error??? Please i need assistance. I am on XP.
Warning! The “key.dat” file doesn’t include the master key.
This is a quite common situation because TeslaCrypt has already deleted it
to proper mantain its stealth.
This version of the decryptor doesn’t include the algorithm needed to recover
the Master key from the Recovery key.
Please use a newer version of the tool.
Error! I was not able to recover the TeslaCrypt Master key!
Try to use the command line.
Press any key to exit…
Craig, Can you acknowledge that the alphacrypt release will be at minimum looked at in hopes to generate a similar tool or modify the teslacrypt to convert the .ezz files generated by that variant?
How do I run with Python file ?
Hi , I was hit by this virus on Saturday the 25th of April , I have been able to stabilize my computer and remove the virus ,I tried your decrypter but it says my key.dat wasn’t there , I then used a data recovery program and I think I might have found it but because it is also partially encrypted I am not sure . If I send a snapshot of the file I found could you tell me if this is in fact my private key ?,
Thanks for any help I would love to regain all my lost files, or even some of them,
Julie
The new version does run on XP now which is great. Unfortunately for me it just cant find the master key. I have the recovery_key text file and the restore text file.
Hi,
How likely is it that you will be able to update the tool to support the recovery key algorithm?
Team,
Will highly appreciate if we can get the work around for the error we are getting below. Keep up the good work.
ReadKeyFile – Warning! The master key inside the “C:\Documents and Settings\Fahim\Application Data\key.dat” file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.
Hi Talos, thank you very much for this tool. I cannot run it on a Windows 7 Professional SP1 box: every time it crashes after I enter the filename to decrypt. Dependency walker claims I miss some modules: API-MS-WIN-APPMODEL-RUNTIME-L1-1-0.DLL, API-MS-WIN-CORE-WINRT-L1-1-0.DLL and many others. I installed VC++ 2012 and 2013 redist with no luck. How can I fix it?
Thank you
Talos, hope we can tackle the issue below soon. Please advise on way forward. Keep up the good work.
ReadKeyFile – Warning! The master key inside the “C:\Documents and Settings\Fahim\Application Data\key.dat” file is stripped down. Unable to import the master key. To recover the master key from the recovery key please use a newer version of this tool.
Can can’t find the key.dat file. Encrypted files on NAS, but have looked locally too. Can I pay you to help me?
Thank You for this!
I have managed to decrypt 6Gb of a customers photos that had not been backed up!!!
I have an infection with TeslaCrypt that has dropped .ezz files in stead of .ecc, as far as I can tell your command line tool works, but does not see the .ezz files as needing decryption. Is there a quick fix for that?
Sorry! DIdn’t read through all the comments. Thanks for all the great work!
Just use batch utility for changing extensions , works.
I came across this on a customers computer but before I found this blog I’d already re-formatted the PC! I have kept all his encrypted personal files, pictures etc. The key.dat file and all other files associated with Teslacrypt are gone though. Is there going to be a tool that can decrypt his files without relying on the key.dat file or recovery_key.txt file??
Respect guys , really and thank You !
But fuckers creating such a shit should be terminated immediately.
We got hit with an updated version of this today. How do I get u a sample to see If its different than the one u posted.
The one we caught is a little different than this post
If the Key.DAT file is gone already, I’m SOL, right?
Wonder if there is any update on the tool version yet?
What can be done if the files where saved to a external hard drive then the computer was wiped and had Windows reinstalled.. Is there still a way to decrypt these files?
IT WORKED!!!!!
THANK YOU!!!!!
I have the same problem with the key being stripped. Would be great if you could get the recovery key working. Many thanks for everything you have done so far!
A customer was hit with a variant of this today with an XP machine. The files affected had the .ezz estension added. I ran a batch conversion and changed the file extensions to .ecc . I then ran the tool (4/28 version) which converted all the files and reported sucess. None of the converted files worked.
My log shows that I missed the (key.dat file is stripped down) error message.
Please let me know when a updated version is available.
Renaming the files from .ezz to .ecc won’t work.. I’m waiting anxiously for any breakthroughs. Thanks
Usually it should take how many days or weeks in order to deal with this ransomware. It definitely a nightmare for a lot of those PC user who their file get encrypted. Everyone is crying for a solution.
Hi, my key dosen’t include the master key, so i wonder if there is possibility to get key if i have a few original, not crypted files and the same files crypted?
Hello,
Today we have discovered a lot of files with EZZ extension. For a lot of files we have backup, but some not. We have tried the teslacrypt tool, but no success:
Warning! The “key.dat” file doesn’t include the master key.
This is a quite common situation because TeslaCrypt has already deleted it
to proper mantain its stealth.
This version of the decryptor doesn’t include the algorithm needed to recove
the Master key from the Recovery key.
Please use a newer version of the tool.
Error! I was not able to recover the TeslaCrypt Master key!
Try to use the command line.
Any idea how to fix this and decrypt the files?
Regards,
Webmagic
MARAVILLOSO!!!!
ME SALVARON LA VIDA
Hi Talos Group, Just got this on a clients XP machine – encrypted files with ezz extension. On a pc and a server.
Is there going to be an updated version of your tool to decrypt the the ezz files?
Client is literally crying!!
I am asking this again, but why not run data recovery to restore the key.DAT file? Assuming of course, that this file has not been securely deleted.
This worked perfectly for me – nice work!
I had to take care of this for a client and thought I would share a few ideas for others trying to deal with this.
The current version of AVG 2014, with current updates, did not detect the virus. I submitted a copy to AVG.
First thing to do is get to a DOS prompt (Start, Run, CMD) and then type CD %APPDATA%. This will bring you to the folder containing the virus executable itself, the key.dat file containing the decryption keys, and log.html. Type NOTEPAD LOG.HTML to view a report created by the virus as to which files it encrypted. Then copy that key.dat file to wherever you downloaded TeslaDecrypter to. I created a folder C:\Tools and put key.data and TeslaDecrypter there.
Next (optional) is download TFC.exe (Temp Files Cleaner by OldTimer) and run it. The reason for this is that the virus also scrambles all of the text files, images, and whatever else it can find in all of the termporary folders. That could number well into the thousands, and it’s a waste of time to deal with all of that debris which should be cleaned out anyway.
Like others, my files were renamed *.ezz instead of *.ecc. The following DOS commands will rename all of the .ezz files to *.ecc on your C drive:
cd \
dir *.ezz /a /b /s > c:\tools\ezzfiles.txt
for /F “tokens=*” %%A in (c:\tools\ezzfiles.txt) do ren “%%A” “%%~nA.ecc”
I then used the command “C:\Tools\TeslaDecrypter.exe /deleteTeslaCrypt /scanEntirePc /KeepOriginal” to do its magic. It may take a while to finish.
Finally after reviewing results (thank you!!) I used the two DOS commands to get rid of the encrypted *.ecc files:
cd \
del *.ecc /s
Hello. My institution has also been hit by this. We have downloaded and run this tool. The tool indicated that it completed successfully and the icons for the encrypted files changed back to the appropriate image. However, when we try to access those files, we get errors saying that the files are currupted. Any suggestions on what we need to do differently?
This blog helped me recover almost 20,000 files and save my a$$ from getting canned. I learned a valuable lesson. ALWAYS BACKUP. BTW. I formatted the PC before I read this post and went back and recovered the key.dat file with the demo version of R-Studio.
i am trying to use Panda Ransomware, i have the original file and the encrypted one but it cant find the key too.
+1 for version 0.2. key.dat has no master key
What to do with this error? We have the key.dat
Warning! The “key.dat” file doesn’t include the master key
Are you guys working on having the tool be able to restore files with the stripped down key? I think this really needed.
Thanks for your great work!
Fabulous posting bro. Fairly sure he can possess a good read.
asos prom dress http://www.asosdresses.net/prom-dresses_c86.html
Malware like this are a good reason to deploy an IPS rather than a typical firewall/router solution, and make the case for specifically why I’ve used an IPS for several years now. My IPS, aside from doing the job of a normal firewall, also intelligently detects and responds against malware, botnets and attempted breaches of security. But then again, I also don’t play many PC games anymore… too busy, mainly, with work. Still, in my line of work, I’m basically on the front lines of cyber warfare, so when I say that an IPS will mitigate crap like TeslaCrypt, listen up because it’s good advice. I realize that not everyone understands technology enough to deploy an IPS, but in those cases one can be purchased, or built out by a friend, or something like that. I’m sure there are a few struggling PC repair shops around that would be more than happy to convert a P4 or early Athlon64 into a pfSense IPS/Firewall, and probably for a fairly low fee. If someone supplies the hardware, I’ll build one out for $50, because it doesn’t take me even a half hour to prep one.
I found the key.dat file and placed a few encrypted ezz files in a test directory.
When I ran tesladecrypter it was able to find the master key but not the ezz files. Then I realized it was looking for ecc files, not ezz (all my files are ezz).
when I changed the file extensions from ezz to ecc the command processed all the files, but ultimately the files were garbled, as if it was using the wrong decryption key.
Any suggestions? Thanks.
For information only to those who have a .ezz file extention, rather than the .ecc file extention.
If your encrypted files have a .ezz extention, you were probably infected a new variant of TeslaCrypt, dubbed Alpha Crypt.
http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/
It would appear, based on the comments above and comments left on that other site, that whilst renaming the .ezz files to .ecc, (and you have the master key!) the Talos Teslacrypt Decryptor tool is fooled into thinking it successfully decrypts your encrypted file … but it hasn’t, at least not correctly. If you try this yourself, I would suggest you keep a copy of the original encrypted file first, to use later should a more successful solution be then found for you.
True.Thank you.
Thank you for working to counteract these evildoers! I have seen that there are several ransomwares that have now been cracked. As a victim of Cryptowall2, I am hoping that you or others may eventually be able to crack that one as well so those of us who were hit by it can retrieve our files. Thanks for your efforts.
Hello, we´ve exectute the script and our log contains that:
Talos TeslaCrypt Decryptor 0.1
Execution time: 04/05/2015 – 19:31
19:31:39 – Successfully imported the master key “BAB95468226816739DEC8422B23B7910A0F2E347C8B1E1E954BAAC1CBE91F118” from “C:\Documents and Settings\farmacia-alm\Mis documentos\TeslaDecrypt_exe\key.dat” file.
19:31:39 – SearchForTeslaCryptProcess – No active TeslaCrypt process found in this system!
19:31:51 – DecryptDirectory – Processing “C:\” directory (Recursive: True, Strip file extensions: True)…
Our extensions are ezz, and we changed them and the error persits.
Thanks.
Just wanted to add some more info in case it helps the devs…
We were hit by this today. As others have stated, we are getting .ezz files instead of .ecc. Changing the file extension does not seem to help in our case (Decrypter sees them and claims ‘success’, but the files are still corrupt/encrypted).
I have the key.dat and an example of an encrypted file if that will help.
hi friends, with ezz files not work.
any solution?
thks for all.
Really hopeful for an update to handle ezz files.
Hi,
I’ve tried but it doesn’t work for me, with key.dat.
On offset 0x177 of key.dat there is something written.
May be I got a variant with different offsets ?
Size of key.dat is 752B.
Thanks
A.
My key.dat exists but only contains the bitcoin address. Has anyone had any luck using data carving software to find the original version of the file? I also see that there is a registry key at HKCU\Software\Windows\CurrentVersion\SET\data. This contains the same recovery key as recovery_key.txt but may have contained the master key at some point. Any luck carving for deleted or modified registry keys? A little bit of a stretch but I’m desperate 🙂
Well I am one of those with stripped master key. I found nothing.
I digged through deleted files but almost none exist on that drive, and I tried looking past Eof of key.dat but nothing seems to remain there. I am surprised that there are no trails od deleted files, at least as found by various undelete tools.
Do anyone know whether I should try looking deeper e.g. by gHex or something else like old DiskEdit, or is it just a dead way and it is gone, overwritten in place by malware design?
The variant we have been hit with ends with .ezz. In addition you can’t launch a command prompt or task manager. I tried running the tool anyway and it does decrypt the file but the file contents are garbled and unreadable.
Please, any solution for ezz files? all my work are lose
It seem like by using RakhniDecrytor and change those files to ecc, we can decrypt most of the files. I have done it.
You may or you should try RakhniDecrytor if you are urgently required to use those encrypted file. You are advised to back up a copy of the file before trying. I have done it anyway due to urgency.
thks sylvester, but rakhnidecryptor ignore this files, we are rename to ecc too
I used your wonderful tool for TeslaDecrypter AlphaCrypt. I could not return to the original state of the file even if it seems to be unsuccessful. This is a log created by TeslaDecrypter:
Talos TeslaCrypt Decryptor 0.1
Execution time: 05.05.2015 – 11:30
11:30:50 – Successfully imported the master key “F01A6699E94EB73C8DB66F3473A3F13239C77F0EAADC25C7D1DA63971818B67D” from “C: \ Users \ Alexander \ AppData \ Roaming \ key.dat” file.
11:30:50 – SearchForTeslaCryptProcess – No active TeslaCrypt process found in this system!
11:29:57 – DecryptDirectory – Processing “C: \” directory (Recursive: True, Strip file extensions: True) …
I can catch up with the master key?
TeslaDecrypter works perfectly, change the ext.ezz by .ecc and find the file key.dat, thank you.
that files are corrupts or unreadables
moicao , you can open correctly that files???
thks for this work!!! we wait for ezz patch!!! not word for this files!! thks a lots
on a Windows 7, the tool detects the key.dat, it starts to decrypt the files, the .ecc disappeared but i still cannot open the file. what could happen?
many thanks!
Hi:
When i use tesladecryptor with flag /key: it produces an error unhandled so windows show me debug or close.
I have a key extracted from network trafic and i want to test it.
nobody response here, it isnt ideal site to make questions
hi Dear, i have the same problem with *.EZZ
i changed ezz by ecc, but now the file is corrupted.
Can you help me please.
Thanks
I have 2 key.dat files. This probably happened because there are two personal application data files on my PC. The first file was created a few hours after encryption on Thursday April 23rd. It contains the master key. The second was created five days later, but is missing the master key. ( I have 2 recovery text files which match the creation times of both key.dat files.) I ran the decrypter which choose the second key.dat ( without the master key.) Then I found the other key.dat file after doing a simple search for “key.dat”. I then ran the decrypter with the first created key.dat key file which returned a success. However, the newly created pics with no ecc extensions have no preview and the new word/excel files created are illegible. Would it be possible to put the master key into the second key.dat file which probably has the correct shifted SHA 256? I have read this site’s info a 100 times. I am no techie…just an accountant! Can someone please advise?
ShadowExplorer succeeded in finding the key.dat file, but I still can’t get the tool to find the master key. A couple interesting points:
The key in the key.dat is 128 hex digits (not 64). Also, in the RECOVERY_KEY.txt file, there is a bitcoin address and then a 64 hex key and a 128 hex key.
Has anyone else seen these double-length keys? The site here says RECOVERY_KEY.txt should have 32 and 64 hex keys.
You might have alphacrypt. Do your files end in .ecc or .ezz?
Great, thanks for the suggestion of alphacrypt, I hadn’t heard of that one yet. My files end in .ecc
Any suggestions for decrypting if it is alphacrypt?
Anyone knows if a new version of the TeslaDecrypt which can decrypt the new .ezz files, are on the way?
Can I add to the list waiting for an update that decypts .ezz files. Thanks in advance!
Someone knows how to decrypt files .ezz ?
thanks a lot
Sorry people,
but I think thats all what can decryptor do if you missing the master key you can only erase all files…It seems the
Talos group not working on that problem anymore?
Talos Team: have .ecc extensions; have 2 key.dat files(dat file 1 produced after encryption has master key) (dat file 2 produced 5 days with no master key); difference in dat files: bitcoin address change, all characters following bitcoin address changed, empty space where masterfile was, but the very last group of characters 7(maybe 8 characters) have similarities. The first 2 characters are different and the remaining characters are the same. Ran your decryption with dat file 1. Success. Result – JPEGS no preview. Used JPEG repair tools. JPEGS corrupted. Could the difference in the last 7 characters cause the corruption of JPEGS? Can a new dat file be created to correctly decrypt files? Any suggestions from anyone? Thanks…Jean
Talos Team: in reference to comment above May 6/2015 at 11:30am: the JPEGS produced from your decrypter are the exact same byte size as the original unencrypted jpeg file (retrieved from an email). Is this decrypted file truly corrupted? Or is something missing from the master key in dat file 1 that is in dat file 2 which is necessary for your decrypter to produce the image? one JPEG recovery tool returned invalid file…another tool returned severely corrupted file(copies of all original encrypted files are backed up…just don’t know how to create a new dat file if this is the issue.) Please let me know. Thanks….Jean
Good evening! I don’t have the key, but I have a picture saved on an external ahrd disk and the same one that has been encrypted on my laptop’s hard disk, is it possible to obtain the key having these? Thank you!
As information, we had a situation where Business important files where encrypted, but we had no backup of them.
We had to go through with the payment to get the decryption key.
This works! We payed 2.2Bitcoins (528$) and after 1hour we got the key and a tool to decrypt.
So, if backup is not an option, and paying is the last way out, this works.
If you have the decrypting software then you really need to contact the Talos team and get it to them so that they can reverse engineer it. If you don’t then my guess is you want people to pay the ransom…
I do not think so.
KR: I got the decryption software. If i know how to contact the Talos team to give it to them, I would do this.
The decryption requires a decryption key, a verification key and the decrypt software. I would sent it all to them, if I knew how to.
Here is the Cisco contact information. If you call them and ask to be transferred to the Talos department you might get somewhere.
http://www.cisco.com/cisco/web/siteassets/contacts/index.html
I am sorry if I came across as suspicious but my whole business was encrypted on Monday and half of my backups so I am not feeling very generous at the moment. I sincerely hope that you can get somewhere with this as it will help a lot of people. I am in the UK and our Internet Crime people were worse than useless.
email talos-external [at] cisco [dot] com
Their twitter account… https://twitter.com/talossecurity
Hello,
I am a victim of Tesla Crypt attack. My computer is clean now and I tried to recover my crypted files using Talos Decryptor 0.1. The message is:
“The key.dat file doesn’t include the master key, very possible TeslaCrypt has allready deleted it. Please use a newer version of the tool”.
Can you help here?
Many thanks,
Stefan
Stefan
you are at the same point as others. Your master key was deleted and you couldn’t do anything. there is no solutions yet. You can only pay 500USD or format PC or find the master key somewhere or Anyone will find the new solution ??
hello, i try your decrypt tool but .
“The key.dat file doesn’t include the master key, very possible TeslaCrypt has allready deleted it. Please use a newer version of the tool”. Can you help me?
KR: I’ll try to contact them, and see if they are interessted in the decryption software.
I would be grateful if you would send it to me as well, I’m an info security student and I’d like to try my luck at reverse engineering it.
pitoboxed@gmail.com
HI,
I try to decrypt a files/folder.
Tool success but file result appears as : name.file.docx_decrypted.ezz
I try to rename as original format , still not open.
Wrong something in procedure ?
Thanks
Matteo
HI
I have also paid to get the decrypt tool, but it doesnt works properly for the must of my files.
I contact this people and they tell me to try on another Operative system.
I can provide you with the decrypt tool, some encrypted files and the keys so you can work with the, to help me and any other infected people.
Tell me an address to send you those files.
Thanks for your effors.
One more question, can i edit the key.dat with the info provided by these people to make the talos tool work with my encrypted files.
Thanks
ssetal@naver.com please TT
I would love the decryption tool as well. If someone has the ability to put in on a site must be easiest.
Hi Michael, can you provide me the decryption tool? My address: checkhm01@gmail.com.
Thanks in advance.
email talos-external [at] cisco [dot] com
real.ghostie@gmail.com BIG THANKS! if it works, i can spend some BTC
hi mike.. can you send me the tools? my email is sayulovemi@gmail.com
thanks
Hi everyone! please help me solve my problem: thanks to TeslaDecrypt i saved most of my files, less one: my outlook pst profile… 13Gb of ECC file… I tried to run the program on different machines, but I got the same result: the program ends with the message SUCCESS, but the decrypted file is about 230MB… unusable… what can I do? Thanks all in advance
If someone has an online upload tool or something, I could sent the decryption software there.
It cannot be sent through Email, as every Anti virus software detects the decrypt.exe as a virus.
I would urge everyone not to run executable files from untrusted sources. This is one of the main ways malware propagates.
Try to use :
http://www.filedropper.com
rename .exe file.
Thanks
Hi,
We’ve made the source code available via Github. It is available here: https://github.com/vrtadmin/TeslaDecrypt
Hi Craig, followed all the intructions provided in thi blog but still no luck. The files im trying to restore is in .EZZ ext, they say the tool only works with .ECC? do you have an update for .EZZ. thanks in advance.
Hi everyone.
Here is a link to download the Decryption software (it’s zipped)
*removed*
hi Lasse,
does it work with .ezz ?
Or can you explain me how to ?
Thanks
Lasse, your file about Decyption on Filedropper is infected! Is a joke?
I would urge everyone not to run executable files from untrusted sources. This is one of the main ways malware propagates.
I agree 100%. This is not a decrypter.
It’s not a valid decrypter, it’s the software that is provided to you when you pay the ransom. By no means should you run the exe in hopes to clean your files. It is most certainly unsafe. If you read all of the comments you would see that it was requested by several people. The idea being, in the right hands, it might provide some insight to creating a safe and proper decrypter.
Hi Craig,
I don’t undestand if is available the .EZZ decrypter.
Thank
This is by far the worst Malware / Ransomware that I’ve experienced, and as you lot have stated, it doesn’t work with EZZ files. I wish it did, as I have a customer who’s lost all her documents / photos and I’m desperate to get them back for her! Fingers crossed the tool can be revised for EZZ files, and the people responsible for creating this malware are identified and brought to justice.
What do you think about this video with a possible solution for the .ezz files? https://www.youtube.com/watch?v=5tbm2cCcGN4
Does the tool work with the recovery_key.txt file yet? I do not have the key.dat file??
I get a ” the NTVDM CPU has encountered an illegal instruction ” when running tesladecrypter.exe from Github on:
Win XP Pro
Win Vista 32 bit
On Vista 64 the OS complains about it being incompatable
So, does no one else get this error running the .exe in Windows? Please someone tell this idiot what he’s doing incorrectly
My Company has recently been hit by a deviant of Teslacrypt, the extensions end in .exx, and the Master key was stored in “%Appdata%\Local\storage.bin” I renamed it to Key.dat and was able to pull the key from it using Talos, but it failed to decrypt.
Using TeslaDecrypter*
Looks like they have changed file extensions again. There is a new variant which creates *.exx files
Further errors from Github version: using teslacrypt.py on Vista 32 bit
Line 4 “invalid syntax error”
Phil that line is a comment. I’m not sure how you would be getting that error.
See – https://github.com/vrtadmin/TeslaDecrypt/blob/master/Python/TeslaDecrypt.py#L4
Running for example : python TeslaDecrypt.py –fic abc.py.ecc –decrypt –key 04684d9d06102effe5cadd3b218d61e37a4c693b995a6cb76db2978a2dbfd2e2
should produce output like “Wrote decrypted file abc.py.ecc.dec” where aby.py.ecc.dec
is the decrypted file
is there a way to recover exx extension files? please help. all my pictures are in .exx now and my backup is broken too
it does not work for files .ezz
have you another soluction
Hello Craig Williams! Some News for us how to decrypt .exx files? Please tell me and the other poor people that are infected. Thank you!
Turns out I didn’t have the full script –
So where are we getting the key from? I have key.dat in the decrypt directory – what else am I missing – I can run the script using the example key in your post – but of course the resulting file is not decrypted – If I don’t specify the key, the script runs but without any output
Note: I’m only doing this with the .py version because I cannot run the .exe as I mentioned before
How to decrypt exx files?
Is there a version that works on Windows7 64bit? I am getting an error. I have found the python version, but I have never messed with python.
Hello 🙂 Is there a way to get my data back, i need the pictures of my daughter. please help me. i try but it doesn’t work with the new version of that type of malware. the files have a .exx extension.
If I am unable to locate the pc and program that encrypted the files if I do pay how am I to decypt the files? Does anyone know?
Hi
I paid 2.2 bitcoins and have received the decryption software from the w*nkers who put the ransom ware on my PC. It has worked and I now have all of my files back. Frustrating as this is, I am delighted as there were 35GB of photos of my kids since they were born.
I have now backed up all of my data to an external HDD and am about to backup to an online storage as well.
One question – I have run McAfee Stinger, McAfee full version, Malware Bytes all of which now show my PC as clean. Do I need to wipe my hard drive and reload Windows and all of my software or am I safe now that the ransomware virus has been deleted?
Thanks
Hi. It would be better to reinstall your Windows and install all your needfull Software after that. You can’t trust, that your System is safe, because they can left such tools for catch passwords and so on. Can u send me a download link for the decryption software please? i can pay the half of your btc if it works. thank you
real.ghostie@gmail.com
Alex – without the decryption key and verification key, which is unique for each user, the decryption software is useless. Sorry to be the bearer of bad news but at least if you pay them then you can get you data back.
dear ‘need advice’
how long until you got your key? And how did you get it. I have paid but 24 hours on no key. Unless i’m doing something wrong?
Please help to decrypt .exx files, the tool doesn’t work for them
I too have had some experience of this today.
Local company rang me up to take a look at the machine and it had encrypted all the files with the extension .exx not only that it wiped out the shadow copies on the drive.
As mentioned earlier looks like this variant uses a storage.bin file in appdata as the key file and not key.dat, so I have a key file but running the tesladecrypter allows the key to be picked up but I have to rename the files from .exx to .ecc for it to attempt to decrypt the files.
All it does is delete the file and reports in the log that the file is not encrypted or not a TeslaCrypt encrypted file.
MSS found ransom:win32/Tescrypt.A and has quarantined now just need to find a way to decrypt these files if possible.
So I was infected by a ransomware on my android phone. I got it off and ran security apps that were suggested by other big blogs. The only problem that I have is that all of my pictures and music are still encrypted. How do I decrypt them on my phone? any suggestions would be great, you can email me at michaelconner1790@yahoo.com
Same as others have noted. My files renamed with .exx extension and no key.dat but storage.bin file along with log.
Any help would be appreciated and thank you for your work already with ecc and ezz files.
dear ‘need advice’
how long until you got your key? And how did you get it. I have paid but 24 hours on no key. Unless i’m doing something wrong?
Has anyone been able to decrypt the ECC with key.dat files that does not include the master key?
Can I find in this case the master key in the file storage.bin ?. How should I proceed?
Thank you very much.
Dear Cisco members,
Is there any change a decryption tool for .ezz will become available soon?
Thank you very much,
Sam
Hello cisco team! Is it possible to decrypt .exx files with tha master key from storage.bin? Please help me and other who have the same problem. Thank you so much !
Hi Katrin – I try to do exact that on a encrypted Windows XP machine. I can run the decryptor and get an “success” – message for the chosen encrypted files, unfortenetely nothing happens, I still can’t open the files. Do you experience the same behaviour?
@Michael: Yes, I’m experience the same behaviour. Before running TeslaDecrypter I have rename the .exx extension to .ecc, but they are still encrypted. I can’t pay this criminals, because by doing so I’m only convincing them that they are in the right line of business. And the second reason is, that I don’t trust that i get something back for the Bitcoins. @all stop paying these people
Same problem aswell, I just got a computer of my client and it is infected with .exx… I tried to run with Cisco Talo Tesladecrypt with the key.dat (rename from storage.bin from \%USERNAME%\Appdata\Local\Storage.bin) and i got succes. But the files are still encrypted.
sam here, got .exx files, found storage.bin and rename it to key.dat, it made log file and it wrote key inside, files that i rename to .ecc he just deleted….. that is it
I have the same problem, my file endings are .exx.
Is it possible to store my encrypted files on a extern harddisc and wait until it can be decrypted or i need some files like key.dat (i couldnt find it). Or are they lost after i cleaned up my windows?
@Alex In your case (.exx files) you have to save the store.bin, because there is no key.dat.
Thank you for your reply Katrin. Where I can find the file store.bin in Win 7?
tengo archivos encriptados en .exx, cuando abrí el archivo storage.bin, solo tiene la dirección donde depositar los bitcoins. y no me permite desencriptar.
So I gather that your group has given up on recovering the Master Key from a stripped Key.dat?
Has anyone else had trouble running this on a Windows 7 64bit machine? I have tried the Python versions but get errors in the code.
I had issues with running ALL the versions until I downloaded the files “Raw”
“RAW”?
On Github – if you click on the link to TeslaCrypt.exe (for example) your taken to page that has a “raw” button or link that will start your file download. Right clicking, and downloading will get you an incomplete file.
for your information RakhniDecryptor of Kaspersky allowed me drecrypter 16591/16664 files that were encrypted by AlphCrypt in *.ezz
@Ricoboss: may you please elaborate how did you decrypt ecc files with that RakhniDecryptor of Kaspersky ?
Thanks a million
I grabbed rakhni decrypter but it only allowed me to select a single file and after 30 minutes, I gave up without success.
I would be really appreciative if you could elaborate!
@Brian: indeed! that Decryptor tried 1 billion pwd in 2 hours then gave up, moreover seems to ignore completely the exit.hhr.oshit.
I ran the process several times, with or without exit.hhr.oshit , key.dat in %APPDATA%, %TEMP%, %windir%, c:\ and even its folder, but the time, the log and the result is always identical. NO success; I believe that Ricoboss did not experience his decryption with Alphacrypt, but (lucky for him) with a different ransomware.
My encrypted files have .exx extension. Tesladecrypter does his work, find the key in storage.bin (renamed to key.dat) and examine my HDs reporting a Success end.
But the files are encrypted! what should I do? rename all files to *.ecc and decrypt again?
New variant has been discovered.
http://www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/
Is Cisco currently working on a fix for the EXX variant?
I was able to recover a recovery-key.txt file with third party software and they decrypter says it was successful, but all the files are now encoded incorrectly and they are just symbols. Is there something else I can do?
Has anyone been able to decrypt the ECC with key.dat files that does not include the master key? Can I find in this case the master key in the file storage.bin ?. How should I proceed? Thank you very much.
If you are still trying to decrypt AlphaCrypt .ezz files try the tool posted here, it worked for me.
http://www.bleepingcomputer.com/forums/t/574900/teslacrypt-ransomware-changes-its-name-to-alpha-crypt/page-4
It worked perfectly.I recovered all my work …
You are gods for me …
Cisco Team: Do you think that will be posible, without the master key to decrypt ?? (in the near future).
I am a little frustrated.
I was hit by this today. I have the .exx variant. I do not have the key.dat file but I do have the RECOVERY_FILE.txt. I cannot seem to get the tool to work. The key inside the text file is 128 characters, while the tool is expecting a 32 or 64 character long key. Any help would be appreciated.
Ive here a infection with the exx variant. The Keyfile is named now \Local\storage.bin
Is there allready a chance to decrypt the files?
Ive here a infection with the exx variant. The Keyfile is named now Appdata\Local\storage.bin Is there allready a chance to decrypt the files?