I got ransomware attacked in 2016, I have the files, how to decrypt them?

[erenucuncu 0]

As the title says, I got attacked at 2016 (I can't remember exact date). I was 16 years old with 0 english so I didn't understand anything from the ransom message it was saying Help Decrypt and some other stuff. I backed up my pictures/videos to a flash drive then I reinstalled windows. Now I want to decrypt my old files but only thing I know is all the files has mp3 extension. So if a file name was a.jpg , the attack made it a.jpg.mp3 . I researched a bit and found teslacrypt, and I used the below decryption tools:

• esetteslacryptdecryptor
• avast_decryptor_teslacrypt3
• avg_decryptor_TeslaCrypt3
• RansomwareFileDecryptor 1.0.1668 MUI
• TeslaDecrypter

None of them helped. All of them removes mp3 extension, but when I try to open the jpg file I got a message saying "this file format may not be supported."(I translated it from my native lang so it might be a bit different). When I go to https://id-ransomware.malwarehunterteam.com/ and try to find out what is the ransom, it  says

"

TeslaCrypt 3.0

This ransomware is decryptable!

Identified by

• sample_extension: .mp3
• sample_bytes: [0x00 - 0x30] 0x00000000000000008AC18DCE15952AFB0000000000000000

Click here for more information about TeslaCrypt 3.0

TeslaCrypt 4.0

 This ransomware is decryptable!

Identified by

• sample_extension: .mp3
• sample_bytes: [0x00 - 0x30] 0x00000000000000008AC18DCE15952AFB0000000000000000

Click here for more information about TeslaCrypt 4.0

"

I don't know if sharing an encrypted file here is a good idea so I'm not sharing for now, but if someone wants, I can send a file for examination.  

Can someone help me please 

 

Edited February 29 by erenucuncu

[Marcos 5,084]

Please provide:
1, A handful of encrypted files (ideally Office documents)
2, The ransomware note with payment instructions
3, Log collected with ESET Log Collector from the machine.

[itman 1,664]

Instructions for use of Eset's decryptor for TeslaCrypt here: https://support.eset.com/en/kb6051-how-do-i-clean-a-teslacrypt-infection-using-the-eset-teslacrypt-decrypter . It supposedly works on ver. 3.0 and 4.0 of TeslaCrypt.

If this is the decryptor you used and it didn't work, my guess is you got nailed by TeslaCrypt variant that is not decryptable.

Edited March 1 by itman

[safety 8]

Judging by the README.txt file from TeslaDecoder TeslaCrypt 3.0.0 - 3.0.1 (.xxx, .ttt., .micro), 4.0+ (as original) *.mp3 also applies to TeslaCrypt v3 version  It would be a good idea on your part to provide several encrypted mp3 files + logs from the esetteslacryptdecryptor.exe program to see what result is obtained after the decryption process is completed.

For example:

Quote

[2024.03.11 16:16:35.695] - --------------------------------------------------------------------------------
[2024.03.11 16:16:35.695] - INFO: Cleaning [2\2008 Leather Prcing updates.xls.mp3]
[2024.03.11 16:16:35.714] - INFO: Cleaned
[2024.03.11 16:16:35.734] - --------------------------------------------------------------------------------
[2024.03.11 16:16:35.735] - INFO: 1 infected files found.
[2024.03.11 16:16:35.736] - INFO: 1 file(s) cleaned.
[2024.03.11 16:16:43.795] - End

It was possible that there was double encryption of 3.0 and 4.0 in some order, and the decryptor had to be run twice to decrypt each of the encryption layers. If the first layer of encryption was Cryptowall 3.0, then it will not be possible to completely decrypt the file. But all this needs to be checked after you provide the necessary files (preferably 3-4)

[erenucuncu 0]

Hello @safety , here is 3 jpg file 1 doc file 1 xls and 1 ppt file. I used esetteslacryptdecryptor.exe

It says that it solved the problem, but the files are still broken. I can't open them. 

I don't know how to attach this files as files to here. When I say attach it just sends them as voic

Edited March 11 by erenucuncu

[erenucuncu 0]

You can see some example files from here : https://drive.google.com/drive/folders/1OR_nrQMrR826zv4hgSDX9hZhjHj4PqUc?usp=drive_link

[Marcos 5,084]

Please follow the instructions in my previous post and provide the requested logs as well.

[safety 8]

36 minutes ago, erenucuncu said:

You can see some example files from here : https://drive.google.com/drive/folders/1OR_nrQMrR826zv4hgSDX9hZhjHj4PqUc?usp=drive_link

I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files)

723800F3740E5CF011BDB7F6EE44EC63

Edited March 11 by safety

[itman 1,664]

Quote

Are there public decryption tools for CryptoWall 2.0 and 3.0 and CryptoWall 4.0?

There are no public decryption tools available for CryptoWall 2.0, 3.0, or 4.0 at this time.

https://www.salvagedata.com/cryptowall-ransomware-data-recovery/

Edited March 11 by itman