Beruflich Dokumente
Kultur Dokumente
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
0 Comentarios
El ransomware
Users have reported that their files have been encoded with the .xxx and .ttt file extensions. The main
culprit for this is called TeslaCrypt, and it has quite a reputation amongst ransomware viruses. The third
variant of TeslaCrypt claims to use an encryption algorithm that is near impossible to break. Adems, the
messages that are dropped resemble another famous ransomware virus, and many believe the two
threats are created by the same hacking team. All users who have been affected should not pay any
ransom money, remove the threat and try decrypting their files or restoring them via backup, instructions
for which are provided after the article.
Nombre
TeslaCrypt 3.0
Escribe
El ransomware
Descripcin
breve
The Ransomware Trojan may encrypt user files and connect to a remote
host to which sent the decryption keys. Its aim is to extort users for money in
return of the decryption of the infected files.
Los
sntomas
The user may witness his files being encrypted with the .xxx and .ttt file
extensions.
Mtodo de
distribucin
Herramienta
de
deteccin
Experiencia
de usuario
1/6
15/3/2016
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
Another method the ransomware may use is via links shared in Spam messages and malicious email attachments.
Such emails may resemble a reputable service like Ventanas 10 Free Upgrade or any of such type. Users should
beware what they open online and always perform a backup to revert any damage caused by the TeslaCrypt 3.0
infection.
C:\Users\User(nombre)\AppData\Roaming\12d120h21d.exe
After creating this file, the ransomware may create these registry entries for it in the Windows Registry
Editor so that it starts when Windows boots up:
2/6
15/3/2016
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
usuario]\AppData\Roaming\}randomfilename{.exe
HKCU Software }randomfilename{
HKCU\Software\xxxsys
Despus de este, the ransomware may scan for and encrypt files with the following file extensions:
.sql, .mp4, .7desde, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .cremallera, .ellos, .suma, .iBank , .t13, .t12,
.QDF, .gdb, .impuesto, .pk pass, .bc6, .FC7, .BKP, .Qin, .BKF, .SIDN, .Kidd, .mddata, .itl, .ITDB, .icxs, .hvpl,
.hplg, .hk db, .mdback up, .syncdb, .gho, .caso, .svg, .mapa, .OMM, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis,
.sid, .NCF, .men, .disposicin, .dmp, .gota, .esm, .vcf, .VTF, .dazip, .fpk , .MLX, .k f, .IWD, .LSC, .tor, .psk ,
.llanta, .w3x, .fsh, .NTL, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .LRF, .m2, .mcmeta, .vfs0, .mpqge, .k db, .DB0,
.dba, .rofl, .HKX, .bar, .ufc, .la, .gente, .litemod, .baza, .forjar, .LTX, .bsa, .apk , .RE4, .semana, .lbf, .slm,
.bik , .EPK, .rgss3a, .entonces, .grande, billetera, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png,
.jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cielo, .la, .X3F, .SRW, .PEF, .ptx, .r3d, .rw2, .rwl, .prima, .raf,
.orf, .nrw, .mrwref, .mef, .erf, .KDC, .dcr, .cr2, .crw, .baha, .SR2, .SRF, .arw, .3fr, .DNG, .JPE, .jpg, .cdr,
.indd, .a, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .WPD, .DXG, .xf, .dwg, .PST (Tiempo Estndar del
Pacfico, .accdb, .CIS, .pptm, .pptx, .ppt, .XLK, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .Ep,
.odm, .Responder, .prrafo, .odt
After encrypting the users files their extension may be changed to .xxx or .ttt. The next step for the
ransomware may be to create the following files on the users desktop:
C:\Users\User\Desk top\Howto_Restore_FILES.BMP
C:\Users\User\Desk top\Howto_Restore_FILES.HTM
C:\Users\User\Desk top\Howto_Restore_FILES.TXT
3/6
15/3/2016
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
After seeing this the user may witness his/her files without a file icon and upon opening may message
similar to:
Finally the ransom message includes instructions on how to use Tor networking in order to contact the
cybercriminals
in an anonymous matter and discuss the ransom payment for file decryption. Experts advise affected
users NO to pay any ransom money because this funds the cyber crime organization to sophisticate the threat and
of the virus.
modules
After removing the malicious objects, there still may be some modified registry entries. To reset your registry
permissions for free, you may want to check out the below-mentioned instructions.
How To Reset Registry Permissions In Windows and Fix Errors
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/
4/6
15/3/2016
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
Vencislav Krstev
A network administrator and malware researcher at SensorsTechForum with passion for
discovery of new shifts and innovations in cyber security. Strong believer in basic education of
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/
5/6
15/3/2016
Retire TeslaCrypt 3.0 Ransomware and Restore .xxx and .ttt Files |
Publicacin anterior
Siguiente publicacin
ltimas Historias
Retire Buscar(.)pch(.)com
Effectively
Review
Heartbleed
Anuncios Google
Email virus
Data files
Anti virus
Malware
http://sensorstechforum.com/es/remove-teslacrypt-3-0-ransomware-and-restore-xxx-and-ttt-files/
6/6