New TeslaCrypt version released that uses the .EXX extension.

I'm here for a CryptoVirus issue in which I have the tool listed here:  http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process .  TeslaDecoder

I have the three items required to decrypt the files.

1.  Bitcoin address - 1CYSo41HtX73z4aEr7qKNCvcA1GfyJskRT

2.  encryption/decryption code - D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5

3.  Hopefully the master key - 8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289

how does one build/rebuild the storage.bin file as #s 1 & 3 are already there?  where does #2 go in the storage.bin?

Output of TeslaDecoder:

Trying to load data from windows registry...
Registry entry found.
Data file version 4 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(

Trying to load data file from disk...
Data file found >> C:\Users\LSP\AppData\Local\storage.bin
Data file version 4 recognized.
ERROR - Decryption key is not present in data file.
Unfortunatelly this tool can't recover decryption key. :-(

I'm here for a CryptoVirus issue in which I have the tool listed here:  http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process .  TeslaDecoder

 

I have the three items required to decrypt the files.

1.  Bitcoin address - 1CYSo41HtX73z4aEr7qKNCvcA1GfyJskRT

2.  encryption/decryption code - D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5

3.  Hopefully the master key - 8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289

 

how does one build/rebuild the storage.bin file as #s 1 & 3 are already there?  where does #2 go in the storage.bin?

It is not possible to get decryption key from these numbers now.
Those numbers are located in RECOVERY_FILE.TXT or RECOVERY_KEY.TXT and can be used for Tesla/Alpha crypt creators for getting your decryption key using ECDH key exchange mechanism (http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman).

FYI
1. Bitcoin address
2. Your public key X coordinate
3. Computed shared secret multiplied with your private key (decryption key)

In latest version with .exx extension these 2 last numbers are located in header of all encrypted files too.
 

That is what I have.  I have the first few lines.

D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5    8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289    ´„º À]›cßN°™ò æ
 0NÀ-®áçëHdø´Ä,02s¶³‹°sª(i«çž‡Îœ6ñ(\*
:¶é3–ïie¢–Zñ Pˆ«^Ñklª2j#ú᪆aKD„Ñ[Å_5(+Ñ6ÐÖ®: GͼÝb)|q¤ç_ˆ²Á›Ú´#?6GÖ½“A\ÐçÈkù7«$™"!£0옙‘9‘w4¡j]ã2|ÑÝK(.‡ˆ´³Üä¼{ÎK%îÜâAw ,Üöɶ5 }jÃÞî'ûG\oò¼;ËáM
$pþ;&zx¶âhÿ!kr™©D˜Å\Dhá€ã®u¿rPZ{¤ºçsm²dD†7sXÍzç`)ΞÃÀ%Û`"Ó¾šƒÑ'Á´2f§Úˆ–‚²×ojfãj]t"žÛC"BOºûœ—

Maybe there could be a way to enter this information manually in the TeslaDecoder that would probably do the trick.

shawn

Edited by shawpie, 14 May 2015 - 05:38 PM.

Maybe there could be a way to enter the required information manually instead of reading a file, in my experience, would never read properly.

If I knew the proper storage.bin or key.dat setup then this would be a no brainer.

shawn

 

I'm here for a CryptoVirus issue in which I have the tool listed here:  http://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process .  TeslaDecoder

 

I have the three items required to decrypt the files.

1.  Bitcoin address - 1CYSo41HtX73z4aEr7qKNCvcA1GfyJskRT

2.  encryption/decryption code - D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5

3.  Hopefully the master key - 8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289

 

how does one build/rebuild the storage.bin file as #s 1 & 3 are already there?  where does #2 go in the storage.bin?

It is not possible to get decryption key from these numbers now.
Those numbers are located in RECOVERY_FILE.TXT or RECOVERY_KEY.TXT and can be used for Tesla/Alpha crypt creators for getting your decryption key using ECDH key exchange mechanism (http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman).

FYI
1. Bitcoin address
2. Your public key X coordinate
3. Computed shared secret multiplied with your private key (decryption key)

In latest version with .exx extension these 2 last numbers are located in header of all encrypted files too.
 

 

I have a question:

I tried using your decoder and it didnt find the decryption key.

since the decrytion is not found, if future there is any other decoder would it work? 

Or it wouldnt work anymore since the key is no longer there?

Edited by cyjh, 14 May 2015 - 09:54 PM.

Hello.

My brother was infected yesterday by this TeslaCrypt version. I tried the BloodDolly program but always prompt " Error: wrong format. Bitcoin address is missing".
I still have .EXE file of virus, storage.bin, regkey entry, even an original and encripted file if this can help.

Hi all. I'm really hoping someone figures this out, It's encrypted everything on my computer! Both HDD's!

Maybe there could be a way to enter the required information manually instead of reading a file, in my experience, would never read properly.

 

If I knew the proper storage.bin or key.dat setup then this would be a no brainer.

 

shawn

It reads data files properly, but the decryption key can be destroyed already. As I wrote to readme and to decoder my TeslaDecoder can decrypt files only when decryption key is still present in data file, so Tesla/Alpha Crypt didn't finish encryption of all files.

There is no way how to use information from recovery_file.txt/recovery_key.txt or 200B header of .exx files without private key of Tesla/Alpha Crypt writters.

I updated my tool to be abe to handle new version of storage.bin.
The link is the same:
http://www.dropbox.com/s/abcziurxly2380e/TeslaDecoder.zip?dl=0

Do you have a working copy of the storage.bin that worked for you??

Could you put an option or "button" that will allow people to enter, copy and paste the keys manually??

Great work.  I will have to try when I get back to the office on Monday.

thanks

shawn

BloodDolly,

I had a copy of the AppData\storage.bin file on my thumb drive when I made a backup of the original hard drive.

I tried your new tool.

Edited by shawpie, 16 May 2015 - 06:16 PM.

BLOODDOLLY!

Your new updated Decrypter works for me like a charm (with extension .exx)! All files are decrypted and i can use them again! Brilliant job! A very big THANK YOU!

Edited by Fleeps, 17 May 2015 - 02:19 AM.

 

BloodDolly,

 

I had a copy of the AppData\storage.bin file on my thumb drive when I made a backup of the original hard drive.

I tried your new tool.

 

Loading data file from >> G:\AppData\storage.bin

Data file version 4 recognized.

ERROR - Decryption key is not present in data file.

Unfortunately this tool can't recover decryption key. :-(

 

Here is a notepad copy and paste of my storage.bin file:

 

1CYSo41HtX73z4aEr7qKNCvcA1GfyJskRT                                                                  Ö<Þ8ªŒ)¸]ðõùÛBêLjÎ,¨»æàDñMféµ8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289                                                                    ìêj+èø÷BŸ•Æ°ßKñ„ƒ@5>+" k»ä¬°òìÿ(6ä„;2ûëó”í«µÐŽá¨°Èï¥z’‹Ö  ß   5 ™O†a^¸+âÕ'+ÍöÆbú

µüóS ݪPÒ}M‡ü¼?õ\ã©­”Š'aÁß+Ìíß®_¤ºàTh¶o]ÂWþÒ-~ëEÈ‹l¯ñó©äÓPÅ‹TÑ_ö û‹ö0éÜåPèt¼

K­‚œ

‘ëùd¼úî«Q•ì¦¯ì|C‰ð¯TïÀ~X6ü‰íŒ#» Ym"L;†$Îþ<[(h‰szfæµRá¿m´*·¸#BŸ¿v¤Œ­÷óƒïç¾Ï«Ç¹tþÉÍÑÐþð0GL–½*kêÓ‰„~‘mþ‹½±dÙä×»PÐÝqyrHÓe(mðÊr

ÌW­ã™ÃÉDcÇA§7pÌm7Öuf(艒xÕŸâÒ¼»`Œ¬íüZ¨ÑNßH¨xøIFXÕB~_ýä±ÈðÚf* iŽQU    ï¾­Þ   

 

Everything should be in this file.

1CYSo41HtX73z4aEr7qKNCvcA1GfyJskRT

and

8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289

 

The only piece missing is:

D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5

 

Here is a rar file of a few encrypted files and my storage.bin.  Careful of the recovery txt files.  These two made MS security essentials delete them.

https://www.dropbox.com/s/2c5s7s9pw45dwp8/Crypto_files.rar?dl=0

 

 

Thanks

shawn

 

I don't know how to explain it to you more clearly.
My decoder doesn't use these numbers, because it is not possible to get your decryption key (what is your private key) without their private key. That is how ECDH key exchange works. Everything what my tool does is checking if your decryption key is not wiped out from data file, because how I said the decryption key is in data file until all your files are encrypted. (So the process of encryption didn't finish) Tesla/Alpha crypt needs this key to have stored on computer for several reasons like, computer restart, etc. But when all your files are encrypted it doesn't need it and then this decryption key is destroyed.

Btw all numbers from recovery_file.txt are in data fle (key.dat/storage.bin). And the missing number is not missing but it is not in hexadecimal form, but in binary form.

In your case:

This number is your public key x coordinate. They need this number to compute ECDH shared secret by multiplying it with their private key.
D63CDE38AA8C29B85DF0F5F9DB42EA04C70488CE2CA8BBE6E07F44F14D66E9B5 = Ö<Þ8ªŒ)¸]ðõùÛBêLjÎ,¨»æàDñMféµ

This is ECDH_shared_secret * YourPrivateKey
8BF71731E9F20613EAF148B968500DD365AD4E82785834AD8B213EFFE18A266E85BE66C6A7106E727F1B8AA6B03DD5214CE64923F4B6198EBF1B6DC70A601289

Try to read this:
http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman

I know you want your data back, but when your decryption key is destroyed and without their private key there is no way how to get your private key back in reasonable time.

@BloodDolly

I also still get the following message from your tool (v.0.0.50) - I have encrypted .exx files, storage.bin with 752 bytes