Decrypt and remove Teslacrypt 3.0 .mp3 files

[hassancasa 2]

Teslacrypt 3.0 now appends .mp3 to the names of all encrypted files. Basically, it is the same virus that changes its minor features.

The just-surfaced version of this ransomware comes up with its original names of the ransom notes:

H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].png
H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].txt
H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].HTML

Teslacrypt 3.0 holds data stored in a computer system for ransom. The data remains on a host machine. The virus applies a sophisticated encryption so that any application cannot read the affected files. To render files with .mp3 extension into a readable format, a victim is told to pay a certain amount. The amount is payable in bitcoins and via TOR network.

The scam is an ongoing affair. The ransomware in question is but one of a number of counterparts. They differ by the encryption method applied, prevailing propagation schemes, ransom, amount. etc. Within its variety, Teslacrypt 3.0 modifications undergo continuous improvements to complicate the removal of this virus and the recovery of files with .mp3 extension.

That sounds too dull for a victim. Let us consider it from another angle, though. As the ransomware requires constant approval and updating it has multiple vulnerabilities. Even if you get your data encrypted and the value of thus affected information is very high, please do not rush into paying the ransom. Most likely, a ransom-free solution for your case is available.

There are plenty of data recovery tools. Some of them are tailored to handle the data encrypted for ransom. Most likely, such tools would perform a satisfactory backup.

In order to restore complete access to the latest editions of the encrypted files, relevant decryption key shall apply.

Once inside a computer system, the virus completes its installation. The successful installation enables the infection to scan any drive available from the affected machine. That extends to any mapped drives, including network and web-hosted sources.

The detected items cover nearly any files on scanned drives. That is, the rogue applies a very broad filter. It detects files with specific extensions. The extensions include virtually any existing variants.

The data detected by Teslacrypt 3.0 is modified using a sophisticated decryption technique. A private key is used and dispatched to a remote server. Victims are presented with a relevant ransom note that details the method and terms of payment and other applicable conditions. Its language may vary from case to case ranging from rather flattering to rather threatening and mocking.

Indeed, unless you acquire the private key, the decryption of .mp3 files is not feasible. Fortunately, cases have been reported of releasing thousands of keys by white hat hackers and cyber police. Hopefully, that is to be the case for the ransomware in question, too.

Again, as stated above, there are a number of approaches enabling sufficient backups for ransomed data. If hit by the virus, kindly apply the backup solutions rather than providing further incentives to the crooks by transferring the amount claimed.

It is also important to note that a victim needs to get rid of Teslacrypt 3.0 upon completing required recovery actions. Failure to remove Teslacrypt 3.0 may entail further damages. Removal of .mp3 file extension virus disables the option of applying the decryption key.

[SweX 871]

This is most likely another spammer.

 

The above post is as far as I can see identical with the one (now deleted) posted on Bleeping, except for the very last part: "for more detail you may google it sure shot software".

hxxp://webcache.googleusercontent.com/search?q=cache:-id4HnXgcMcJ:www.bleepingcomputer.com/forums/t/605185/teslacrypt-30-xxx-ttt-micro-mp3-support-topic/page-5+&cd=1&hl=sv&ct=clnk&gl=se

 

The post no longer exists on Bleeping since it has already been deleted. But scroll down on the google cache link above and see post #62 by "mizan24h".

Edited February 16, 2016 by SweX

[haronaroum 0]

The year of 2015 saw a strain of ransomware called CryptoWall wreak havoc on the computer systems and networks it had infected. According to Cyber Threat Alliance, CryptoWall 3.0, one of the versions of CryptoWall that came out in January 2015, has already extorted $325 million from thousands and thousands of victims worldwide in the past 12 months. If this ransomware persists the way it did in 2015, more people will fall victim to this threat and more damage will be caused. So, it is very important that PC users under ransomware and learn how to avoid it.

Edited February 18, 2016 by Marcos
Links promoting commercial or dubious products or services removed

[SweX 871]

Link 1 Hmmm.....

 

 

 

 

Link 2 Hmmm.....

 

 

 

 

Link 3 Hmmm.....

 

 

 

 

It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum. May the Force be with us. The Force was with us and saved us from the dark side once again. (;

Edited February 21, 2016 by SweX

[Marcos 5,074]

It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum. May the Force be with us.

 

Thanks fot the heads-up SweX. The forces have now removed the dubious links

[TomFace 539]

 

It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum. May the Force be with us.

 

Thanks fot the heads-up SweX. The forces have now removed the dubious links

 

Thank you SweX and Marcos!

[fdsfserfffff 0]

teslacrypt-3.0 is considered as a ransomware which is designed by cyber criminals for the purpose of making profits. It usually shows you warning message that your files are encrypted and you have to pay ransomware to get your files back. However it is just a scam, what you need to do is to get rid of teslacrypt-3.0 soon.

Edited February 19, 2016 by TomasP
removed link

[TomFace 539]

Thank you TomasP.

Edited February 19, 2016 by TomFace

[SweX 871]

 

It seems like a bunch of "Enigmatroopers" have infiltrated the ESET forum. May the Force be with us.

 

Thanks fot the heads-up SweX. The forces have now removed the dubious links

The force is strong in the ESET family. Nice job, Marcos

 

Edited by TomasP, 19 February 2016 - 12:51 PM.

removed link

 

 

Hehe. No need to ask where to that deleted link went. Nice proactive job, TomasP. 

 

Would be even better if all new members that does nothing but post spam are banned ASAP (not just remove the links in their posts). To not give them the possibility to come back and post even more on here whenever they like. Which is exactly what "haronaroum" did - came back to post more spam. Marcos even deleted a "fishy" link in the very first post by "haronaroum" last December: https://forum.eset.com/topic/6755-cryptowall-cryptolocker-detection/?p=37476

 

The member "haronaroum" in this thread is nothing more than a simple spammer.

 

"haronaroum Asked on 5. February 2016"

hxxp://answers.winbuzzer.com/question/how-do-i-remove-browser-hijack-malware-newsearch123-com/

 

"By haronaroum, Junior Member on 16th November 2015, 05:08 AM"

hxxp://forum.xda-developers.com/general/help/computer-virus-t3249957/post63847710#post63847710

 

"Try completely removing all parts of Chrome with Spyhunter 4"

https://linustechtips.com/main/topic/518468-some-sort-of-malware-in-chrome/#comment-6935088

 

"manual removal resources: uufix"

hxxp://forums.moneysavingexpert.com/showthread.php?p=69588057#10

 

One Enigmatrooper busy doing its job.

 

(It gets even more fun when I see that "haronaroum" uses the same avatar as another spammer on here, that uses the nickname "Michelle" - that also joined the forum last December, just like "haronaroum").

Edited February 21, 2016 by SweX

[TomFace 539]

Good idea SweX about banning forum spammers. (Two thumbs up!)

 

They'll do anything like using a pretty avatar picture like a girl. Who would question that?

 

 

Just more fertilizer for the garden.

Edited February 22, 2016 by TomFace

[Rodrigo 0]

Why do we see things happening to people and we think that we won't get hit too?
 
I am not a spammer, I am not a scammer.... just a victim....
 
I found my laptop this morning showing ugly pages, saying that my files have been encrypted. I still cannot believe it.
 
There is no clear name stated..... just a generic "CryptoWall decrypter".
 
Many files now end with .mp3 !
 
Here is the copy and paste of the text I have been reading since morning... I just replaced some info with xxxxx
 
I am wiling to provide more/full info, if this can be useful to fight back the delinquents , but not on this public board.
============================================
 
 
 
 
NOT YOUR LANGUAGE? USE Google Translate
Whathappened to yourfiles?
All of your fileswere protected by a strongencryption withRSA
More information about the encryption RSA can befound here https://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean?
Thismeans that the structure and data within your files have beenirrevocably changed, you will not be able work with them, readthem or see them, it is the same thing as losing them forever, but with our help, you can restore them

How did this happen?
Especially for you,on our SERVER was generated the secret keypair RSA - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program which is on our Secret Server!!!

What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed
If you really need your data, then we suggest you do not wastevaluable time searching for other solutions becausen they do not exist.
 
For more specific instructions, pleasevisit your personal home page,there area few different addressespointing to your pagebelow: 1 - hxxp://xxxxxxxxxxxxxxxx.pontogrot.com/xxxxxxxxxxx
2 - hxxp://xxxxxxxxxxxxxxx.hotchunman.com/xxxxxxxxxxxxx
3 - hxxp://xxxxxxxxxxxxxadfkksawe.bematvocal.at/xxxxxxxxxxxxxxx
 
If for some reasons the addresses are not available, follow these steps: 1 - Download and install tor-browser: hxxp://www.torproject.org/projects/torbrowser.html.en
2 - After asuccessfulinstallation, run the browser and wait for initialization.
3 - Typeinthe tor-browseraddressbar:xxxxxxxxxxxxxx.onion/xxxxxxxxxxxxxx
4 - Follow the instructions on the site.

!!! IMPORTANT INFORMATION:
Your Personal PAGES:
hxxp://xxxxxxxxxd.pontogrot.com/xxxxxxxxxx
hxxp://xxxxxxxxxere.hotchunman.com/xxxxxxxxxxxxx
hxxp://xxxxxxxe.bematvocal.at/xxxxxxxxxxxxxxxxxx
Your Personal TOR-Browserpage : xxxxxxx.onion/xxxxxxxxxxxxxxxxx
Your personal ID (if you open the site directly): xxxxxxxxxxx
 
 
 
===============
 
 
 
My personal laptop has been hit, with tons of videos and pictures of my newborn baby girl. I am so upset....
 
They are so generous that 1 file is offered to be decrypted for free, as an example of their ability to recover the remaining tons of data.
 
I am not sure there will be something/somebody around able to help me out.
 

 

Regards,

Edited February 24, 2016 by TomasP
removed some links

[Rodrigo 0]

Hello,

 

To go back to the main subject, is it correct what fdsfserfffff says? He stated that it is "just" a scam and it will be enough to get rid of "teslacrypt-3.0" to get the files back?.

 

What hit my laptop looks like to be a variant of TeslaCrypt 3, it looks like, reading around.

 

Your guidance is very much appreciated.

 

Thank you

 

regards

[samoz 0]

I have NOD32 on two of mine computers and a couple of days back Alert window start to continuously appearing detecting Win32/Filecoder.TeslaCrypt in my Dropbox cache hidden folder (on both computer) there was over 100 alerts all the time in different tmp files (which NOD constantly cleaned out by deletion). After I've stooped synchronization in Dropbox client alerts stopped. I started a thorough scan on all my drives (local) and the result was "clean".

 

Two years back I gave to one of my friends a sharing link (read/write access) to one folder and sub folders in my Dropbox cloud. And now everything in this folder structure was encrypted with new file extension *.mp3 (*.jpg.mp3, *.pdf.mp3, *.mp4.mp3, ...). Original files were deleted a day ago by this friend's name (in Dropbox history) and changed files added to cloud. All this have already been synchronized (Dropbox client did that) to my computers (original files deleted and encrypted copied to local drives of my computers). In every folder in the cloud there was 3 new files containing ransom note - description what to do "Recovery + qwobe.ext" (html, txt and png file - what Rodrigo wrote above). But only png files (final worm wallpaper picture Recovery+qwobe.png) were synchronized to my local drive since NOD did not allow a html and txt file to be copied - it found threat inside. But all this files were still on the cloud.

 

So, this is really very unpleasant and dangerous threat. Remember to check everywhere with different tools for detecting and cleaning filecoders.

• Stop synchronization to Dropbox (client) immediately.
• Then be sure your PC is clean and that worm is not active (thorough in deep scan with updated antivirus and anti-malware tool; I suggest use more of them) and do that ASAP, meanwhile turn computer off and scan it booting from external drive or remove your HD and scan it on another computer.
• Then check Dropbox with internet browser for new files (ransom notes typically in html, txt and png files ' TEs) in every sub-folders and for encrypted files with new extension (typically *.original ext.mp3 for TeslaCrypt v3.0). Be very cautious here, my NOD said that html and even txt files are infected. Dropbox do not scan your cloud for viruses, this is your problem and you can not do this easily. You will see if there is a threat only when you will enable synchronization again in your client and when the client will try to overwrite your local files again with potentially changed (and new) files from the cloud. So be sure before, that you have good and update antivirus app active at that time. And before you should also check all your shares allowing your friend write aces to your cloud folders and cancel it (you should also aware friends about serious threat from your cloud if it is there).
• Than scan thoroughly all your drives, local and network - it could be everywhere, if not a worm, encrypted file could be there. 
• Do not forget backup drives (USB) - encrypted files could already be there if you did a backup (or mirror instead of proper backup which could be a catastrophe for your data) before you realized that you have a problem on your PC.
• If you use Dropbox and you have important files there, this is maybe your best chance to get something back although the files are encrypted there. Check Dropbox history (events) and find out when original files were deleted and encrypted added. Then restore prior versions of files and delete encrypted files. Check help, how you can do that (for large number of files you will probably have to ask Dropbox support to do that for you).

NOD32 apparently do the yob well. However, I am still a bit disappointed since it is very unspecific and gives very poor information about versions of threat etc.

 

Regards

Samo Z.

[Marcos 5,074]

However, I am still a bit disappointed since it is very unspecific and gives very poor information about versions of threat etc.

 

Could you please clarify this? I have no clue what you mean by that information about Filecoders is poor.

[samoz 0]

Only that ESET sw is not very comprehensive with information about threats, that AV solution find.

There are many variants of viruses around and I suppose that AV software know more that it then tell to the user (exactlly which variant is, which files, registry key is connected to it etc). In my case I got only info about Filecoder.TeslaCrypt ..., but not version. And then I had to search arround to found which version it could be, are there any chance do decrypt files, what is smart to do immediatelly (shut down) etc. So, I would like to get more specific info. I am never sure, if I am really safe and I try to check manually for files and other signs conected to different version of threats. Some other AV tools simply do this better, if not directlly at least true virus database on web site. In this latest case I was relativelly safe (regular backups) and virus did not expand from my Dropbox (at the beginnig you can not be sure and you are wondering what to do first). And I am afraid that my friends lost everything on his PC becouse of that.

Regards

Samo Z.

[Marcos 5,074]

A description of Filecoder.TeslaCrypt can be found at hxxp://www.virusradar.com/en/Win32_Filecoder.TeslaCrypt.A/description.
ESET is actually effective against Filecoders and we respond to new variants within minutes, if not already blocked by other protection mechanisms (HIPS, AMS, Exploit Blocker, etc). You can drop me a pm with the output from ESET Log Collector attached so that I can check if you have ESET configured properly to provide maximum protection.

[samoz 0]

I've checked your virus description and it represents exactly what I meant with "not to be comprehensive enough". For example - on your site only one extension added to file names is specified ".ecc". However, all files on my case have added extension ".mp3". And on other sites I can see a bunch of other possible extensions. My immediate first doubt was "Am I safe enough? Does NOD really identified and without fail eliminate correct threat? What should I do immediately?" I now that now, but when you first see such an alarm and you are aware about the danger of it, you must be a little paranoid if you have important files (at least for you) on your network.

 

Regards

Samo Z.

[markgil 1]

I have a problem to windows 8.1 laptop right now, my files is infected by the .mp3 file extension, i download spyhunter and remove the viruses after that i refresh my laptop to the original but i forgot that my other local disk drive is infected also with this .mp3, my question is if there is another way to remove the .mp3 file to my loca disk drive because all my files is in that drive, can you help me for this one.

[Xanadu 0]

Our LAN was infected this week by the sole Win XP PC (other PCs are Win 7).   xlsx and doc files converted to .MP3 extension.  ReCoVeRY_xxxx   html txt png files scattered around.

 

I am willing to pay an AV firm - ESET or other - to assist with decryption

 

Graham

[safety 8]

Our LAN was infected this week by the sole Win XP PC (other PCs are Win 7).   xlsx and doc files converted to .MP3 extension.  ReCoVeRY_xxxx   html txt png files scattered around.

 

I am willing to pay an AV firm - ESET or other - to assist with decryption

 

Graham

hxxp://download.eset.com/special/ESETTeslaCryptDecryptor.exe

hxxp://support.eset.com/kb6051/