TeslaDecoder released to decrypt .EXX, .EZZ, .ECC files encrypted by TeslaCrypt

 

i tried to use this decoder but didn't work on key file storage.bin
warning message :

• - data file version 4 recognized
• - descryption key is not present in data file
• - decryption key was destroyed by teslacrypt
• - unfortunately this tool can't recover descryption key :-( 

 
nb: i move storage.bin to drive C:\file virus and i load manually use this decoder
 
so how?? any update or something i miss??

It worked, storage.bin was decrypted and checked, but unfortunately your decryption key was already destroyed by TeslaCrypt. TeslaCrypt destroys decryption key when all of your files were encrypted. When this happens I can't recover your decryption key from data file without TeslaCrypt's writters private key.
When decryption key can't be recovered I recommend to backup up all your encrypted files, data file (key.dat or storage.bin) and recovery_key.txt or recovery_file.txt and wait for another solution.

 

Hi BloodDolly

i know what you mean coz i already read it (www.bleepingcomputer.com/forums/t/575875/new-teslacrypt-version-released-that-uses-the-exx-extension/page-3#entry3708349) and i'll follow your recommend to backup all files. i use another HDD to reinstall OS, ( i keep my infected HDD ) and wait another solution..

hope you can found the another solution and post here..

thanks before&after..

Edited by neo-harqq, 20 May 2015 - 12:06 AM.

Hi BloodDolly,

 

where i can find key.dat/storage.bin..  i try search entire c drive using search box..but still can't find it..any suggesstion?

Files associated with unnamed variant of TeslaCrypt:
%LocalAppData%\storage.bin
%LocalAppData%\<random>.exe
%LocalAppData%\log.html
%Desktop%\Save_Files.lnk

Files associated with Alpha Crypt:
%Desktop%\Save_Files.lnk
%AppData%\blburkg.exe
%AppData%\log.html
%AppData%\key.dat = C:\Users\[user name]\AppData\Roaming\key.dat

Files associated with TeslaCrypt:
%AppData%\<random>.exe
%AppData%\log.html
%Desktop%\CryptoLocker.lnk
%AppData%\key.dat = C:\Users\[user name]\AppData\Roaming\key.dat

Computer got infected May13th, 2015... So when I came across this thread today, I was quite happy to say the least!!

 

I ran the TeslaDecoder, and it came back with the decryption key.

However, I am at a loss for how to actually decrypt the files/folders... or if it's even possible.

 

Any help or suggestion with what to do next is very much appreciated!

Edited by 2puggles, 20 May 2015 - 01:50 PM.

Cisco Talos indicated that they were going to try using the recovery_file file, and they haven't moved forward on it yet. 

 

Based on what you are saying, I can understand why.

 

Thanks for your response BloodDolly.

 

Ron

Here's what I am getting on my screen when trying to use this. Any advice
The top of the image is the bitcoin address that's in the key.dat file.

 

Edited by MorrisTechSayre, 20 May 2015 - 03:08 PM.

Computer got infected May13th, 2015... So when I came across this thread today, I was quite happy to say the least!!

 

I ran the TeslaDecoder, and it came back with the decryption key.

However, I am at a loss for how to actually decrypt the files/folders... or if it's even possible.

 

Any help or suggestion with what to do next is very much appreciated!

Oops, my fault, I will fix it tomorrow. :-)

Hotfixed, download it again and try.

Edited by BloodDolly, 20 May 2015 - 04:43 PM.

Need also help

come from europe/austria/vienna speak "german", very bad english

have laptop with win 7, but as second system "windows XP" ("emuated??") on it (not from me, but from shop i bought laptop

because i would not buy without my Windows XP (i am about 60 years old, i am not able to learn new system, i last work about 8 y on Win XP

congrats to this community, to get a new account worked well!!! so i am here......

to dolly: i do not know dropbox, but i got on your link and came to dropbox. to create an account there misfailed 3 times... do not know why.

 

so i do not know how do get the teslaDecoder she/you offer....

i want to try first before i ask anybody here, but i am even unable to download the programm because of the dropbox problem

 

i am the only one here who is infected in europe?

i am the smalest internet user you can imagine. only some mails every 2 weeks. do not know how i got infection.

my spams are 100x times highter than not-spam mails from family (1-2/week).

 

what can i do to get free from this malware and to see my pictures and word docs again.

 

Pay?????????

 

i think i am not even able to check this and pay, i never payed before in internet.....

 

pls help me, my work of 5 years is otherwise lost (about 1,5 - 2 Mio only private pictures of nature and horse-breeding would be lost

terrible....

 

at this moment local time is 1 pm, and where are you, whats the time there

is anybody here living in europe or germany or austria to help me????

 

thanks and greetings from vienna

Hi,

 

Thank you so much for creating this program.  It has helped to save all the files of a pensioner who kept his life's work on his pc and had very little backup when the crypto virus struck - everything was encrypted including the book he has been writing.  The only problem I have encountered so far is that it decrypted around 50% of the jpg files he has just fine and the other half are corrupted in some way (I kept the original encrypted versions of these).  Some of them are scans of really old war photos etc. All the files are on a 32bit xp pc.  When I try to open the corrupted ones in gimp it says:  "Not a JPEG file: starts with 0x87 0x9e" - the files always were jpg files though before the virus.  Can you shed any light on why some of them would get corrupt during decryption (I can provide b4 & after files if required).

Edited by x2click, 21 May 2015 - 10:12 AM.

Hi,

 

Thank you so much for creating this program.  It has helped to save all the files of a pensioner who kept his life's work on his pc and had very little backup when the crypto virus struck - everything was encrypted including the book he has been writing.  The only problem I have encountered so far is that it decrypted around 50% of the jpg files he has just fine and the other half are corrupted in some way (I kept the original encrypted versions of these).  Some of them are scans of really old war photos etc. All the files are on a 32bit xp pc.  When I try to open the corrupted ones in gimp it says:  "Not a JPEG file: starts with 0x87 0x9e" - the files always were jpg files though before the virus.  Can you shed any light on why some of them would get corrupt during decryption (I can provide b4 & after files if required).

Probably multiinfection with Tesla/AlphaCrypt. I sent you a PM.

Need also help

come from europe/austria/vienna speak "german", very bad english

have laptop with win 7, but as second system "windows XP" ("emuated??") on it (not from me, but from shop i bought laptop

because i would not buy without my Windows XP (i am about 60 years old, i am not able to learn new system, i last work about 8 y on Win XP

congrats to this community, to get a new account worked well!!! so i am here......

to dolly: i do not know dropbox, but i got on your link and came to dropbox. to create an account there misfailed 3 times... do not know why.

 

so i do not know how do get the teslaDecoder she/you offer....

i want to try first before i ask anybody here, but i am even unable to download the programm because of the dropbox problem

 

i am the only one here who is infected in europe?

i am the smalest internet user you can imagine. only some mails every 2 weeks. do not know how i got infection.

my spams are 100x times highter than not-spam mails from family (1-2/week).

 

what can i do to get free from this malware and to see my pictures and word docs again.

 

Pay?????????

 

i think i am not even able to check this and pay, i never payed before in internet.....

 

pls help me, my work of 5 years is otherwise lost (about 1,5 - 2 Mio only private pictures of nature and horse-breeding would be lost

terrible....

 

at this moment local time is 1 pm, and where are you, whats the time there

is anybody here living in europe or germany or austria to help me????

 

thanks and greetings from vienna

You don't have to be registered on dropbox to download my decoder. When a signup window popups you can close it by clicking on light blue X on the right top corner.

Oops, my fault, I will fix it tomorrow. :-)

Hotfixed, download it again and try.

 

 

Worked Great!! Thank you :-)

Hello,

Thank you for your help.

I was touched by the decryption .EXX   May 17
I installed a Windows 8.1 image by symantec immediately. But I still have the backup hard drive completely coded .EXX

Is there a way of doing something?

 

I have an idea: I can try to find the encryption key by "photorec" "under the installed image."

But what kind of key I'll get? what form does it?

Thank you very much again.

Kind regards,
kilikibi
Grenoble
France

Edited by kilikibi, 22 May 2015 - 09:42 AM.

Hello,

Thank you for your help.

I was touched by the decryption .EXX   May 17
I installed a Windows 8.1 image by symantec immediately. But I still have the backup hard drive completely coded .EXX

Is there a way of doing something?

 

I have an idea: I can try to find the encryption key by "photorec" "under the installed image."

But what kind of key I'll get? what form does it?

Thank you very much again.

Kind regards,
kilikibi
Grenoble
France

You need to find storage.bin in %localappdata% folder. Load this key into TeslaDecoder and you will see if decryption key is still in this file. If decryption key was destroyed, there is no way how my tool can decrypt your files and you have to wait for another solution. The new storage.bin is encrypted with AES, so it is not an easy task to search for it on raw disk.

 

Computer got infected May13th, 2015... So when I came across this thread today, I was quite happy to say the least!!

 

I ran the TeslaDecoder, and it came back with the decryption key.

However, I am at a loss for how to actually decrypt the files/folders... or if it's even possible.

 

Any help or suggestion with what to do next is very much appreciated!

Oops, my fault, I will fix it tomorrow. :-)

Hotfixed, download it again and try.

 

 

 

Nice 0.0.53! BloodDolly i gratitude for your marvelous service.

will you keep upload newest version on https://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0 sustainedly?

Edited by crisis2k, 22 May 2015 - 08:12 PM.