[TESLACRYPT 3.0] HOW TO RECOVER LOST CRYPTED FILES

WEB, Hardware, Software e generali

Moderatore: MODERATORE

Rispondi
Avatar utente
Rombo di Tuono
Site Admin
Messaggi: 7068
Iscritto il: 04 lug 2007, 18:07
Località: Seconda stella a DESTRA...
Contatta:

[TESLACRYPT 3.0] HOW TO RECOVER LOST CRYPTED FILES

Messaggio da Rombo di Tuono »

As of today Teslacrypt 3.0 is a ransomware (it will "steal" something and asks for a ransom) that arrives in the mail, the sender is known to you, with a message , the subject is a simple date (or contains a date) and has an attachment whose extension is .zip or .js, the zip file contains a .js (javascript)

If you click the attachment without scanning with first antivirus, that's ALWAYS something totally wrong, the code downloads the virus, then encrypts the files with RSA-4096 algorithm and downloads a file in any folder, this file begins with help_recover ... and contains the instructions to pay the ransom.

Your document, images, videos, and music files now have the extension .xxx .ttt or .micro

Cleaning PC is not a problem: start windows in safe mode, and run the antivirus.
Or search internet to find where files are stored, in safe mode you can clean them all in a few minutes.

The real problem is that there's currently no known methods to decrypt your files, and it seems that the virus also erases the shadow copies, so that shadowrecover doesn't work.

Nor - personally - I got better luck with Testdisk , with recuva and PhotoRec

The only method that gave me some results is described below.

--------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------

Follow this:

1) Immediately turn off the affected PC , in fact, the procedure relies on the recovery of deleted files.
2) Obtain an 8GB USB flash drive (4GB are enough), a second PC with internet connection, a disk or other external media to copy the recovered files.
3) USING THE SECOND PC: Download these tools: 4) Install Lili - Linux usb creator, and use it to create a bootable USB stick with Kali Linux, follow Lili's instructions
5) insert the kali USB stick, you have just created, on the infected PC, turn it on and press the F8 key every second (necessary to the Boot menu to appear)
6) Select the boot from the flash drive
7) from Kali start menu, the first option should be fine, once started, also connect the external disk or other support for recovery of the files.
8) Suppose you have now the kali desktop in front of you: open a terminal (icon in the upper left) and type fdisk -l , command that will list the disks, helping you to identify the one from which to make your recovery and the external one onto which you'll copy the files retrieved
----8.1) If your disk is not mounted, open the file manager, identify your disk in the left panel, rightclick it, and choose MOUNT
9) Let's assume that your disk is /dev/sdc1 and external is /media sdd1: open a terminal and type the foremost command whose syntax is:
# foremost [-h | V] [-qv] [-t type1, type2 ...] [-s num] [-i] [-o] \ [-c] [] ....
-h Print help message and exits
-V Print copyright information and exits
-v Verbose Mode
-q Quick Mode. Search the header only at the beginning of the sector
-i Reads the files to be analyzed in the folder passed as a parameter
-o Sets the directory where the recovered files are saved
-c Sets the configuration file to use
-s Jump the number of bytes specified before you begin searching
-n Extracts files without adding the extension
-t Lists the file extensions to be retrieved

a first example of use can therefore be:

Codice: Seleziona tutto

 foremost -v -t jpeg,jpg,doc,pdf,xls -o /media/sdd1/folderwheretosave /dev/sdc1 
foremost can work with unmounted devices, that's the reason for using /dev/sdc1 at the end, as target disk from where to recover files

enjoy !

Should you have any question, login the forum and post it
Avatar utente
Rombo di Tuono
Site Admin
Messaggi: 7068
Iscritto il: 04 lug 2007, 18:07
Località: Seconda stella a DESTRA...
Contatta:

Re: [TESLACRYPT 3.0] HOW TO RECOVER LOST CRYPTED FILES

Messaggio da Rombo di Tuono »

Now there is a decryptor by ESET, HERE (click)
Rispondi