15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

Retire TeslaCrypt 3.0 Ransomware and

Restore .xxx and .ttt Files
> El ransomware > Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files
Autor: Vencislav Krstev+

Enero 15, 2016

0 Comentarios

bitcoin, -cifrado de archivos, el malware,

ransomware, troyano

El ransomware

Users have reported that their files have been encoded with the .xxx and .ttt file extensions. The main
culprit for this is called TeslaCrypt, and it has quite a reputation amongst ransomware viruses. The third
variant of TeslaCrypt claims to use an encryption algorithm that is near impossible to break. Adems, the
messages that are dropped resemble another famous ransomware virus, and many believe the two
threats are created by the same hacking team. All users who have been affected should not pay any
ransom money, remove the threat and try decrypting their files or restoring them via backup, instructions
for which are provided after the article.

Nombre

TeslaCrypt 3.0

Escribe

El ransomware

Descripcin
breve

The Ransomware Trojan may encrypt user files and connect to a remote
host to which sent the decryption keys. Its aim is to extort users for money in
return of the decryption of the infected files.

Los
sntomas

The user may witness his files being encrypted with the .xxx and .ttt file
extensions.

Mtodo de
distribucin

Via malicious links or attachments online.

Herramienta
de

Descargar Malware Removal Tool, Para ver si su sistema ha sido

afectado por TeslaCrypt 3.0

deteccin
Experiencia
de usuario

nete a nuestro foro to discuss TeslaCrypt 3.0.

TeslaCrypt 3.0 Ransomware How Did I Get It

Such ransomware is spread via Trojans that may have previously infected the user PC. This is very effective since
the Trojans may obtain system information about the version of the OS as well as the security software in the
machine. One of the Trojans used to download TeslaCrypt is reported to be Miuref.B Troya.
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

1/6

15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

Another method the ransomware may use is via links shared in Spam messages and malicious email attachments.
Such emails may resemble a reputable service like Ventanas 10 Free Upgrade or any of such type. Users should
beware what they open online and always perform a backup to revert any damage caused by the TeslaCrypt 3.0
infection.

TeslaCrypt 3.0 - Como Funciona

Once the malicious payload carrying file has been activated on the victim computer, the virus may create
a random named .exe file in the following directory, por ejemplo:

C:\Users\User(nombre)\AppData\Roaming\12d120h21d.exe

After creating this file, the ransomware may create these registry entries for it in the Windows Registry
Editor so that it starts when Windows boots up:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas with settings for C:\Usuarios [nombre de

http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

2/6

15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

usuario]\AppData\Roaming\}randomfilename{.exe
HKCU Software }randomfilename{
HKCU\Software\xxxsys

Despus de este, the ransomware may scan for and encrypt files with the following file extensions:

.sql, .mp4, .7desde, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .cremallera, .ellos, .suma, .iBank , .t13, .t12,
.QDF, .gdb, .impuesto, .pk pass, .bc6, .FC7, .BKP, .Qin, .BKF, .SIDN, .Kidd, .mddata, .itl, .ITDB, .icxs, .hvpl,
.hplg, .hk db, .mdback up, .syncdb, .gho, .caso, .svg, .mapa, .OMM, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis,
.sid, .NCF, .men, .disposicin, .dmp, .gota, .esm, .vcf, .VTF, .dazip, .fpk , .MLX, .k f, .IWD, .LSC, .tor, .psk ,
.llanta, .w3x, .fsh, .NTL, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .LRF, .m2, .mcmeta, .vfs0, .mpqge, .k db, .DB0,
.dba, .rofl, .HKX, .bar, .ufc, .la, .gente, .litemod, .baza, .forjar, .LTX, .bsa, .apk , .RE4, .semana, .lbf, .slm,
.bik , .EPK, .rgss3a, .entonces, .grande, billetera, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png,
.jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cielo, .la, .X3F, .SRW, .PEF, .ptx, .r3d, .rw2, .rwl, .prima, .raf,
.orf, .nrw, .mrwref, .mef, .erf, .KDC, .dcr, .cr2, .crw, .baha, .SR2, .SRF, .arw, .3fr, .DNG, .JPE, .jpg, .cdr,
.indd, .a, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .WPD, .DXG, .xf, .dwg, .PST (Tiempo Estndar del
Pacfico, .accdb, .CIS, .pptm, .pptx, .ppt, .XLK, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .Ep,
.odm, .Responder, .prrafo, .odt

After encrypting the users files their extension may be changed to .xxx or .ttt. The next step for the
ransomware may be to create the following files on the users desktop:

C:\Users\User\Desk top\Howto_Restore_FILES.BMP
C:\Users\User\Desk top\Howto_Restore_FILES.HTM
C:\Users\User\Desk top\Howto_Restore_FILES.TXT

These files all contain the following ransom instructions:

Qu pas con sus archivos?

Todos los archivos estaban protegidos por un fuerte cifrado con RSA-4096.
Ms informacin acerca de las claves de cifrado mediante RSA-4096 se puede encontrar aqu:
http://en.wik ipedia.org/wik i/RSA_(criptosistema)
Cmo sucedi esto?
!!! Especialmente para su PC se gener RSA-4096 CLAVE personal, tanto pblicos como privados.
!!! Todos sus archivos se cifran con la clave pblica, que ha sido trasladado a su ordenador a travs de
Internet.
Decodificacin de los archivos slo es posible con la ayuda de la clave privada y descifrar programa, que est
en nuestro servidor secreto.
Qu debo hacer?
As, hay dos maneras que usted puede elegir: espere un milagro y conseguir que su precio se duplic, o
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

3/6

15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

iniciar la obtencin de BTC EMPRESA, y restaurar los datos de forma fcil.

Si tiene datos muy valiosos, es mejor que no pierda su tiempo, porque no hay otra manera de conseguir sus
archivos, excepto hacer un pago.
Para obtener instrucciones ms especficas, por favor visite su pgina personal, hay algunas direcciones
diferentes que apuntan a su pgina de abajo:
[...] INFORMACIN IMPORTANTE:
Sus pginas personales:
HTTP://[SMBOLOS](.)justmak eapayment.com/[...] HTTP://[SMBOLOS](.)brsoftpayment.com/[...]
HTTP://[SMBOLOS].con /[...] https://[SMBOLOS].onion.to/[...] Su pgina personal (utilizando TOR-Browser):
Su nmero de identificacin personal (si abre el sitio (o TOR-Browser de) directamente): [...]

After seeing this the user may witness his/her files without a file icon and upon opening may message
similar to:

This file is corrupt.

Finally the ransom message includes instructions on how to use Tor networking in order to contact the

cybercriminals
in an anonymous matter and discuss the ransom payment for file decryption. Experts advise affected
users NO to pay any ransom money because this funds the cyber crime organization to sophisticate the threat and

may not bring back the files.

Retire TeslaCrypt 3.0 Completely and Clean Your Registry

In
order to fully remove TeslaCrypt, it is important to isolate the threat first. This can happen if you stop your internet
connection. Then it is advisable to install an anti-malware tool to scan your computer and remove the malicious

of the virus.
modules

1. Arranque el PC en modo seguro para aislar y eliminar TeslaCrypt 3.0

2. Retire TeslaCrypt 3.0 con la herramienta de SpyHunter Anti-Malware

3. Back up your data to secure it against infections and file encryption by TeslaCrypt 3.0
en el futuro

Opcional: Using Alternative Anti-Malware Tools

After removing the malicious objects, there still may be some modified registry entries. To reset your registry
permissions for free, you may want to check out the below-mentioned instructions.
How To Reset Registry Permissions In Windows and Fix Errors

http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

4/6

15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

Restoring Files Encrypted With .xxx and .ttt Extensions

Security engineers strongly advise users NOT to pay the ransom money and attempt restoring the files using other
methods. Here are several suggestions:
To restore your data, your first bet is to check again for shadow copies in Windows using this software:
Sombra Explorador
If this method does not work, Kaspersky have provided a decryptors for files encrypted with the RSA and
other encryption algorithms:
Kaspersky RectorDecryptor for RSA
Other Kaspersky Decryptors
Another method of restoring your files is by trying to bring back your files via data recovery software. Here
are some examples of data recovery programs:
Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
Data Recovery Pro by Pareto Logic
Stellar Phoenix Windows Data Recovery
Stellar Phoenix Photo Recovery
For further information you may check the following articles:
Remove RSA-2048 Key From Crypto Ransomware
Restaurar archivos cifrados mediante cifrado RSA
You may also want to follow the discussions in our forum and ask for help, or share your experience:
Files Encrypted With Random File Extensions
Restore .vvv Files Encrypted by TeslaCrypt Ransomware
Restore Files Encrypted With .xxx .ttt and .micro File Extensions
Files Encrypted With Random File Extensions

NOTA! Sustancial notificacin acerca de la TeslaCrypt 3.0 amenaza: La extraccin manual

de TeslaCrypt 3.0 requiere la interferencia con los archivos del sistema y los registros. Por
lo tanto, que puede causar dao a su PC. Incluso si sus conocimientos de informtica no
son a nivel profesional, no te preocupes. Usted puede hacer la eliminacin ti mismo en 5
acta, usando un herramienta de eliminacin de software malicioso.

Vencislav Krstev
A network administrator and malware researcher at SensorsTechForum with passion for
discovery of new shifts and innovations in cyber security. Strong believer in basic education of
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

5/6

15/3/2016

Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |

every user towards online safety.

Ms Mensajes - Sitio web

Publicacin anterior

Siguiente publicacin

ltimas Historias
Retire Buscar(.)pch(.)com

oVPN Software Review

Effectively

Android App Permissions and

Perfect Uninstaller Software

Your (Phone's) Privacy

Review

Remove Triangulum(.)com Ads

Remove Surprise Ransomware

and Restore .surprise Encrypted
Files

Vulnerability Detection Tool

How to Troubleshoot Problems

Released against Drown,

with Windows Update and More

Heartbleed

Remove SuperWeb Adware from

Your Computer

Anuncios Google

Email virus

Data files

Anti virus

Malware

http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/

6/6