Question
  • This thread is locked from future replies
10579 views

Files encrypted by TeslaCrypt 3.0 (.mp3 extension)

MOO4MOO asked on
Split from this thread.

Can anyone provide me with some guidelines on how to recover my encrypted files. all the files on the laptop now converted to media files with .MP3 extensions.

67 people had this question

Abuse history


The answered status icon Answer

Your data got encrypted by a variant of version 3 of TeslaCrypt Ransomware.

At this point there is unfortunately no way to decrypt this variant. If anything is discovered it will be published at Bleeping Computer. Backup all the encrypted files and wait for a solution.

See post of quietman7   here: http://www.bleepingcomputer.com/forums/t/599121/my-files-were-protected-by-a-strong-encryption-with-rsa-4096/#entry3936239

QUOTE

You are dealing with the newest variant of TeslaCrypt ransomware...TeslaCrypt 3.0 will have the .xxx, .ttt, .micro or .mp3 extension appended to the end of the filename as described in this news article. TeslaCrypt 3.0 will leave .html, .txt files (ransom notes) with names like recovery_file_[random].txt, recover_file_[random].txt, Howto_Restore_FILES.TXT, help_recover_instructions+[random].txt and _H_e_l_p_RECOVER_INSTRUCTIONS+[3-characters].txt.

Currently, there is no way of decrypting TeslaCrypt 3.0 .xxx, .ttt, .micro, or .mp3 variants since they use a different protection/key exchange algorithm, a different method of key storage and the key for them cannot be recovered. The .xxx, .ttt, micro and .mp3 variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer. If infected with any of these extensions, backup all your encrypted files and wait for solution.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance but as noted above there is no solution to fix your files yet. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion...this topic is closed.

UNQUOTE

22 people found this helpful

Abuse history


The answered status icon Answer

... all the files on the laptop now converted to media files with .MP3 extensions.

No, your files are not converted to media files; they are just encrypted. Please do not try to remove/delete the appended .MP3 extension so as to avoid further corruption which might risk your recovery probabilities by any possible (actual or future) means.

- What's your Operating System (OS)/Windows version?

- What's your anti-virus (AV)/real-time protection (RTP) program installed?

- Any detection (name of detected malware) logged (most likely 'after-the-fact' [data encryption], unfortunately) in History?

- Where (location) was this threat ('if' it was) detected? And what action was taken?

- Are there any 'ransom notes' files? => Search for files names like:

_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random characters].html
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random characters].png
_H_e_l_p_RECOVER_INSTRUCTIONS+[3-random characters].txt

And/Or:

Recovery+[5-random characters].html
Recovery+[5-random characters].png
Recovery+[5-random characters].txt

These ransom notes (.txt files) may be located in every folder where files have been encrypted, and they only contain the information for the 'ransom payment' - action which is, of course, NOT recommended! You should also see an .html file with same or similar name and characteristics and containing same info.

Can you please post here a screenshot of your ransom note?

Any data files that have an .mp3 extension appended to their original file names and extensions are encrypted by the latest and most current version (3.0) of TeslaCrypt (AKA Tescrypt - Microsoft's detection) as better described in this BC's news article: New TeslaCrypt variant now uses the .MP3 Extension

TeslaCrypt 3.0 was first released on January 12, 2016. Their newer and latest variant that was released by the crooks on or around February 11, 2016 is currently using this .mp3 extension to add more confusion to victims.

See: TeslaCrypt V3.0 Released with Modified Algorithm and .XXX, .TTT, and .MICRO File Extensions AND New TeslaCrypt variant now uses the .MP3 Extension

Unlike data that was encrypted by prior versions (Tesla's V2.2 and below) which victims have been able to decrypt using BloodDolly's TeslaDecoder, unfortunately - at this time - there is no way of decrypting TeslaCrypt V3.0 (.xxx, .ttt, .micro and/or .mp3 extension-variants) since they use a different protection/key exchange algorithm, a different method of key storage, and the key for them cannot (yet) be recovered using the TeslaDecoder tool. These variants do not have a SharedSecret*PrivateKey so they are not supported by the current version of TeslaViewer included with the TeslaDecoder tool.

BloodDolly, the author of the TeslaDecoder tool, and other experts and volunteers at bleepingcomputer.com, are certainly working on this already to find a solution.

If infected by the new TeslaCrypt v3.0, victims should backup all their encrypted files and wait for a future solution.

Restoring from backups is your only choice at this point, unless you get lucky with recovery software such as Recuva, ShadowExplorer, or PhotoRec - always at least worth a try. If these methods fail, it is recommended to backup the encrypted files and save them on an external media in hopes of a solution in the future. Currently, there is no way of really marking how possible it is or how long it may take, but the 'good guys at BC' are certainly trying hard.

Since all of the public keys and other encryption-related info are stored in the header of every encrypted file (Tesla leaves nothing else of use behind), once you have the encrypted files backed up by whatever means, you are free to reload the OS if you wish. If there are any break-throughs, the backup of the encrypted files is all that is necessary for decryption when/if the expected free solution is released.

In the meantime, you may wish to register/subscribe to this BC's TeslaCrypt 3.0 (.XXX, .TTT, .MICRO, .MP3 Extension-Variants) Support Topic, where you can ask questions or just to read and learn more about specific scenarios and current state of things. If there are any break-throughs, be assured the info will be posted there and/or a new news article be published.

Please also note that, usually, main executables responsible for the encryption should have been deleted after the encryption completed. When TeslaCrypt is done encrypting files on a system, it deletes itself and leave only the ransom notes behind (and may make them open on system startup). Any remnants 'should' have been cleaned off by your resident AV program or other removal tools of your preference.

Wish we had better news for you, but please keep us posted on any update to this thread. Your feedback is important to our Community.

Good Luck!

=====

-Tip: Please AVOID searching the Web for malware removal and decrypting tools for this (or any other) crypto-malware infection. You will only find 'scammers' and 'untrustworthy sites' offering 'fake or dubious' tools that will only grant you an additional headache (or worse).

Please see: Affiliate Spam is not only Annoying but can offer Costly Advice

=========================================================

You can also help spread the word so that others may contribute to:
Help BleepingComputer Defend Freedom of Speech!

=========================================================

Lenovo ThinkCentre A55-8705/Windows XP Home Edition SP3/.NET3.5SP1/IE8/MSEv4.4.
18 people found this helpful

Abuse history


progress