erenucuncu 0 Posted February 29 Posted February 29 (edited) As the title says, I got attacked at 2016 (I can't remember exact date). I was 16 years old with 0 english so I didn't understand anything from the ransom message it was saying Help Decrypt and some other stuff. I backed up my pictures/videos to a flash drive then I reinstalled windows. Now I want to decrypt my old files but only thing I know is all the files has mp3 extension. So if a file name was a.jpg , the attack made it a.jpg.mp3 . I researched a bit and found teslacrypt, and I used the below decryption tools: esetteslacryptdecryptor avast_decryptor_teslacrypt3 avg_decryptor_TeslaCrypt3 RansomwareFileDecryptor 1.0.1668 MUI TeslaDecrypter None of them helped. All of them removes mp3 extension, but when I try to open the jpg file I got a message saying "this file format may not be supported."(I translated it from my native lang so it might be a bit different). When I go to https://id-ransomware.malwarehunterteam.com/ and try to find out what is the ransom, it says " TeslaCrypt 3.0 This ransomware is decryptable! Identified by sample_extension: .mp3 sample_bytes: [0x00 - 0x30] 0x00000000000000008AC18DCE15952AFB0000000000000000 Click here for more information about TeslaCrypt 3.0 TeslaCrypt 4.0 This ransomware is decryptable! Identified by sample_extension: .mp3 sample_bytes: [0x00 - 0x30] 0x00000000000000008AC18DCE15952AFB0000000000000000 Click here for more information about TeslaCrypt 4.0 " I don't know if sharing an encrypted file here is a good idea so I'm not sharing for now, but if someone wants, I can send a file for examination. Can someone help me please Edited February 29 by erenucuncu
Administrators Marcos 5,466 Posted March 1 Administrators Posted March 1 Please provide: 1, A handful of encrypted files (ideally Office documents) 2, The ransomware note with payment instructions 3, Log collected with ESET Log Collector from the machine.
itman 1,807 Posted March 1 Posted March 1 (edited) Instructions for use of Eset's decryptor for TeslaCrypt here: https://support.eset.com/en/kb6051-how-do-i-clean-a-teslacrypt-infection-using-the-eset-teslacrypt-decrypter . It supposedly works on ver. 3.0 and 4.0 of TeslaCrypt. If this is the decryptor you used and it didn't work, my guess is you got nailed by TeslaCrypt variant that is not decryptable. Edited March 1 by itman
safety 8 Posted March 11 Posted March 11 Judging by the README.txt file from TeslaDecoder TeslaCrypt 3.0.0 - 3.0.1 (.xxx, .ttt., .micro), 4.0+ (as original) *.mp3 also applies to TeslaCrypt v3 version It would be a good idea on your part to provide several encrypted mp3 files + logs from the esetteslacryptdecryptor.exe program to see what result is obtained after the decryption process is completed. For example: Quote [2024.03.11 16:16:35.695] - -------------------------------------------------------------------------------- [2024.03.11 16:16:35.695] - INFO: Cleaning [2\2008 Leather Prcing updates.xls.mp3] [2024.03.11 16:16:35.714] - INFO: Cleaned [2024.03.11 16:16:35.734] - -------------------------------------------------------------------------------- [2024.03.11 16:16:35.735] - INFO: 1 infected files found. [2024.03.11 16:16:35.736] - INFO: 1 file(s) cleaned. [2024.03.11 16:16:43.795] - End It was possible that there was double encryption of 3.0 and 4.0 in some order, and the decryptor had to be run twice to decrypt each of the encryption layers. If the first layer of encryption was Cryptowall 3.0, then it will not be possible to completely decrypt the file. But all this needs to be checked after you provide the necessary files (preferably 3-4)
erenucuncu 0 Posted March 11 Author Posted March 11 (edited) Hello @safety , here is 3 jpg file 1 doc file 1 xls and 1 ppt file. I used esetteslacryptdecryptor.exe It says that it solved the problem, but the files are still broken. I can't open them. I don't know how to attach this files as files to here. When I say attach it just sends them as voic 6. sınıf fen kavram haritası.doc.mp3 6. sınıf kavram haritaları.ppt.mp3 100 Temel Eser.xls.mp3 20130616_111116.jpg.mp3 20130616_111120.jpg.mp3 20130616_111122.jpg.mp3 Edited March 11 by erenucuncu
erenucuncu 0 Posted March 11 Author Posted March 11 You can see some example files from here : https://drive.google.com/drive/folders/1OR_nrQMrR826zv4hgSDX9hZhjHj4PqUc?usp=drive_link
Administrators Marcos 5,466 Posted March 11 Administrators Posted March 11 Please follow the instructions in my previous post and provide the requested logs as well.
safety 8 Posted March 11 Posted March 11 (edited) 36 minutes ago, erenucuncu said: You can see some example files from here : https://drive.google.com/drive/folders/1OR_nrQMrR826zv4hgSDX9hZhjHj4PqUc?usp=drive_link I think the decryption of your mp3 files was correct using esetteslacryptdecryptor.exe, but there is also a second layer of encryption, and this, unfortunately, is Cryptowall 3. Judging by the first 16 bytes at the beginning of each file after decryption. (The first 16 bytes are the same for all files) 723800F3740E5CF011BDB7F6EE44EC63 Edited March 11 by safety Nightowl and itman 2
itman 1,807 Posted March 11 Posted March 11 (edited) Quote Are there public decryption tools for CryptoWall 2.0 and 3.0 and CryptoWall 4.0? There are no public decryption tools available for CryptoWall 2.0, 3.0, or 4.0 at this time. https://www.salvagedata.com/cryptowall-ransomware-data-recovery/ Edited March 11 by itman
Recommended Posts