TeslaCrack
TeslaCrack copied to clipboard
Googulator
.ecc Old Version
Hello, I have an issue getting teslacrack to work with the old .ecc version(encryption happened in February of 2015). It just errors out with worddoc.doc.ecc doesn't appear to be TelsaCrypted. I have attached two files one was a word document the other was a jpeg. Any help would be appreciated, thanks! samplefiles.zip
Do you have a key.dat file in %APPDATA%? It might be best to use TeslaDecoder with the first variant, as the key is not paired with the files, and has to be extracted from that file. We can also use factorization if you have a RECOVERY_FILES.TXT file in your My Documents.
Unfortunately no, I don't have any files from the app data folder. This ran on an XP machine and didn't finish running so I never got the recovery_files.txt file. Somebody other then myself decided it was a good idea to only backup the encrypted files and the registry(which I looked through and didn't find anything). Then they wiped the hard drive(secure erased) and reinstalled. The only thing remaining are the encrypted files and .reg of the registry. :-(
Any chance that the registry has the following key? [HKCU\Software\Microsoft\Windows\CurrentVersion\SET]
I'm not sure if it only puts the text file after the encryption, I thought it did as soon as it started since it stores the (encrypted) key there.
Nope, there isn't any CurrentVersion\SET key anywhere. Thanks for the ideas, I really appreciate it.
:/ AFAIK, you might be SOL mate. May have to check with Googulator and BloodDolly if they have any ideas, but going off their compiled notes, the first three releases of the ransomware stores nothing of use in the files themselves, everything is in the key.dat file and/or registry key. Unless you happened to have a network packet intercepted from when the ransomware reached out to the C&C server.
Excuse me, my name is Willy, I want to ask my fitting contact with ransomware .CCC, I boot my computer safe and virus scan I use Malwarebytes and SpyHunter then fitting already completed my return to normal, then why file could partially lost my own?
2016-01-23 13:40 GMT-08:00 Michael Gillespie [email protected]:
:/ AFAIK, you might be SOL mate. May have to check with Googulator and BloodDolly if they have any ideas, but going off their compiled notes, the first three releases of the ransomware stores nothing of use in the files themselves, everything is in the key.dat file and/or registry key. Unless you happened to have a network packet intercepted from when the ransomware reached out to the C&C server.
— Reply to this email directly or view it on GitHub https://github.com/Googulator/TeslaCrack/issues/20#issuecomment-174224682 .
By partially lost, do you mean you nanaged to decrypt some of your files using TeslaCrack, but not all?
In that case, you probably have multiple keys. TeslaCrack will warn you about this fact, and print any further keys you may need to crack. Try the Bitcoin key first (as it will unlock all of your TeslaCrypt-damaged files if successful), and move on to the AES key if the Bitcoin key is hard.
I have most of my files are decrypted, find ways how to lost files due to missing filesPhotographic memories, etc.
2016-01-29 14:45 GMT-08:00 Googulator [email protected]:
By partially lost, do you mean you nanaged to decrypt some of your files using TeslaCrack, but not all?
In that case, you probably have multiple keys. TeslaCrack will warn you about this fact, and print any further keys you may need to crack. Try the Bitcoin key first (as it will unlock all of your TeslaCrypt-damaged files if successful), and move on to the AES key if the Bitcoin key is hard.
— Reply to this email directly or view it on GitHub https://github.com/Googulator/TeslaCrack/issues/20#issuecomment-177005327 .
c:\TeslaCrack-master>python teslacrack.py -v DSCF0645.jpg.ecc 2016-05-19 21:28:04,226:DEB: Options: Namespace(delete=False, delete_old=False, dry_run=False, fix=False, fpaths=['DSCF0645.jpg.ecc'], overwrite=False, progress=False, verbose=True) 2016-05-19 21:28:04,226:INF: File u'\?\c:\TeslaCrack-master\DSCF0645.jpg.ecc' doesn't appear to be TeslaCrypted. 2016-05-19 21:28:04,242:INF: +++Dir 0 scanned: 0 noAccessDirs: 0 teslaExt: 1 badheader: 1 crypted: 0 decrypted: 0 skipped: 0 unknown: 0 failed: 0
overwritten: 0
badExisting: 0
deleted: 0
i AM GETTING THIS ERROR
@jangshant TeslaCrack does not work on the older versions I'm afraid. You'll need to download TeslaDecoder by BloodDolly and refer to the instructions there. The .ecc variant does not store the numbers needed to factorize in the encrypted file itself. You will need to search for %APPDATA%\key.dat, %APPDATA%\storage.bin, or a file in My Documents by the name of something like "recovery_file.txt" or "recovery_key.txt". It will be a file with three lines of random hexadecimal. You will need to factor the third line using Yafu/msieve, then use the second line as the Public Key to regenerate a private key using BloodDolly's TeslaRefactor.
If you locate the file, you may provide us with the contents and we can help generate a key for you.
the thing is i only got the encrypted files with me now, this was someone elses computer. they formatted windows and all.
Did they do a full backup of the My Documents folder? The recovery file should be in there. It's your only chance I'm afraid.
@Demonslay335 Dang i get that this is super ancient but I was given an old computer from my aunt being told that it is just really slow wondering if i could fix it. Booted it up to find out she had the TeslaCrypt ransomware virus and all of her files were changed to the .ecc format.
Found the key.dat file and the recovery key text but yes the private key was wiped. I am messaging here cause I want to know more about " You will need to factor the third line using Yafu/msieve, then use the second line as the Public Key to regenerate a private key using BloodDolly's TeslaRefactor."
Would this actually work? The factorization could take a really long time. The original 154 digit number thankfully has been factorized a bit already to like 8 numbers. but the 8th number is a 118 digit number that seems to be taking me a long time to factorize.
Again sorry that im reviving an old thread. Much thanks to anyone who helps.
@HamNCheeseBorger Sorry for the late reply, I didn't get a notification for this.
If you can link me to the original 154 digit number you need factored, or just the key.dat itself, I can factor it for you. A P118 would probably only take an hour or two on my rig nowadays.
@Demonslay335 All good. I got it factorized about a month ago following some random Japanese site on how to properly set up the factorization. I was able to decrypt the files on my relative's computer but unfortunately the files were corrupted. I assume that is because a mix of both the virus scrambling the data around and that they left the computer off for almost 10 years in their closet.
Thanks for the response though! :)