Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.ecc Old Version #20

Open
xxmdstudxx opened this issue Jan 23, 2016 · 15 comments
Open

.ecc Old Version #20

xxmdstudxx opened this issue Jan 23, 2016 · 15 comments

Comments

@xxmdstudxx
Copy link

Hello,
I have an issue getting teslacrack to work with the old .ecc version(encryption happened in February of 2015). It just errors out with worddoc.doc.ecc doesn't appear to be TelsaCrypted. I have attached two files one was a word document the other was a jpeg. Any help would be appreciated, thanks!
samplefiles.zip
@Demonslay335
Copy link

Do you have a key.dat file in %APPDATA%? It might be best to use TeslaDecoder with the first variant, as the key is not paired with the files, and has to be extracted from that file. We can also use factorization if you have a RECOVERY_FILES.TXT file in your My Documents.

@xxmdstudxx
Copy link
Author

Unfortunately no, I don't have any files from the app data folder. This ran on an XP machine and didn't finish running so I never got the recovery_files.txt file. Somebody other then myself decided it was a good idea to only backup the encrypted files and the registry(which I looked through and didn't find anything). Then they wiped the hard drive(secure erased) and reinstalled. The only thing remaining are the encrypted files and .reg of the registry. :-(

@Demonslay335
Copy link

Any chance that the registry has the following key?
[HKCU\Software\Microsoft\Windows\CurrentVersion\SET]

I'm not sure if it only puts the text file after the encryption, I thought it did as soon as it started since it stores the (encrypted) key there.

@xxmdstudxx
Copy link
Author

Nope, there isn't any CurrentVersion\SET key anywhere. Thanks for the ideas, I really appreciate it.

@Demonslay335
Copy link

:/ AFAIK, you might be SOL mate. May have to check with Googulator and BloodDolly if they have any ideas, but going off their compiled notes, the first three releases of the ransomware stores nothing of use in the files themselves, everything is in the key.dat file and/or registry key. Unless you happened to have a network packet intercepted from when the ransomware reached out to the C&C server.

@willyset
Copy link

Excuse me, my name is Willy, I want to ask my fitting contact with
ransomware .CCC, I boot my computer safe and virus scan I use Malwarebytes
and SpyHunter then fitting already completed my return to normal, then why
file could partially lost my own?

2016-01-23 13:40 GMT-08:00 Michael Gillespie [email protected]:

:/ AFAIK, you might be SOL mate. May have to check with Googulator and
BloodDolly if they have any ideas, but going off their compiled notes, the
first three releases of the ransomware stores nothing of use in the files
themselves, everything is in the key.dat file and/or registry key. Unless
you happened to have a network packet intercepted from when the ransomware
reached out to the C&C server.


Reply to this email directly or view it on GitHub
#20 (comment)
.

@Googulator
Copy link
Owner

By partially lost, do you mean you nanaged to decrypt some of your files using TeslaCrack, but not all?

In that case, you probably have multiple keys. TeslaCrack will warn you about this fact, and print any further keys you may need to crack. Try the Bitcoin key first (as it will unlock all of your TeslaCrypt-damaged files if successful), and move on to the AES key if the Bitcoin key is hard.

@willyset
Copy link

I have most of my files are decrypted, find ways how to lost files due
to missing
filesPhotographic memories, etc.

2016-01-29 14:45 GMT-08:00 Googulator [email protected]:

By partially lost, do you mean you nanaged to decrypt some of your files
using TeslaCrack, but not all?

In that case, you probably have multiple keys. TeslaCrack will warn you
about this fact, and print any further keys you may need to crack. Try the
Bitcoin key first (as it will unlock all of your TeslaCrypt-damaged files
if successful), and move on to the AES key if the Bitcoin key is hard.


Reply to this email directly or view it on GitHub
#20 (comment)
.

@jangshant
Copy link

c:\TeslaCrack-master>python teslacrack.py -v DSCF0645.jpg.ecc
2016-05-19 21:28:04,226:DEB: Options: Namespace(delete=False, delete_old=False, dry_run=False, fix=False, fpaths=['DSCF0645.jpg.ecc'], overwrite=False, progress=False, verbose=True)
2016-05-19 21:28:04,226:INF: File u'\?\c:\TeslaCrack-master\DSCF0645.jpg.ecc' doesn't appear to be TeslaCrypted.
2016-05-19 21:28:04,242:INF: +++Dir 0
scanned: 0
noAccessDirs: 0
teslaExt: 1
badheader: 1
crypted: 0
decrypted: 0
skipped: 0
unknown: 0
failed: 0

   overwritten:      0
   badExisting:      0
       deleted:      0

i AM GETTING THIS ERROR

@Demonslay335
Copy link

@jangshant TeslaCrack does not work on the older versions I'm afraid. You'll need to download TeslaDecoder by BloodDolly and refer to the instructions there. The .ecc variant does not store the numbers needed to factorize in the encrypted file itself. You will need to search for %APPDATA%\key.dat, %APPDATA%\storage.bin, or a file in My Documents by the name of something like "recovery_file.txt" or "recovery_key.txt". It will be a file with three lines of random hexadecimal. You will need to factor the third line using Yafu/msieve, then use the second line as the Public Key to regenerate a private key using BloodDolly's TeslaRefactor.

If you locate the file, you may provide us with the contents and we can help generate a key for you.

@jangshant
Copy link

the thing is i only got the encrypted files with me now, this was someone elses computer. they formatted windows and all.

@Demonslay335
Copy link

Did they do a full backup of the My Documents folder? The recovery file should be in there. It's your only chance I'm afraid.

@HamNCheeseBorger
Copy link

@Demonslay335 Dang i get that this is super ancient but I was given an old computer from my aunt being told that it is just really slow wondering if i could fix it. Booted it up to find out she had the TeslaCrypt ransomware virus and all of her files were changed to the .ecc format.

Found the key.dat file and the recovery key text but yes the private key was wiped. I am messaging here cause I want to know more about " You will need to factor the third line using Yafu/msieve, then use the second line as the Public Key to regenerate a private key using BloodDolly's TeslaRefactor."

Would this actually work? The factorization could take a really long time. The original 154 digit number thankfully has been factorized a bit already to like 8 numbers. but the 8th number is a 118 digit number that seems to be taking me a long time to factorize.

Again sorry that im reviving an old thread. Much thanks to anyone who helps.

@Demonslay335
Copy link

@HamNCheeseBorger Sorry for the late reply, I didn't get a notification for this.

If you can link me to the original 154 digit number you need factored, or just the key.dat itself, I can factor it for you. A P118 would probably only take an hour or two on my rig nowadays.

@HamNCheeseBorger
Copy link

@Demonslay335 All good. I got it factorized about a month ago following some random Japanese site on how to properly set up the factorization. I was able to decrypt the files on my relative's computer but unfortunately the files were corrupted. I assume that is because a mix of both the virus scrambling the data around and that they left the computer off for almost 10 years in their closet.

Thanks for the response though! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jangshant @Demonslay335 @Googulator @willyset @xxmdstudxx @HamNCheeseBorger