1

One of our workstations was hit with the Teslacrypt ransomware. We could tell because all the documents had been encrypted and the file extensions were changed to VVV. The most secure thing to do with any malware infection is to wipe the computer and restore from back. However, that may not be an option for some. In our situation, the user did not have any backups of the documents on his local computer. So we needed to identify the way to remove the ransomware and decrypt the file. A huge thanks to Googulator for the python scripts that accomplish the decrypting. GitHub - Googulator/TeslaCrack: Decryptor for the TeslaCrypt malware. We are going to follow the instructions found there, with some adjustments that I put together from the sites in the references section. There are a lot of varied instructions out there, but here is what worked for us.

Step 1: Clean the teslacrypt ransomware from the computer

Reboot into safe mode and run Malwarebytes scan, remove all malware found. I would recommend using multiple trusted malware cleaners to make sure it is gone. Reboot when it asks too. This should cleanup the virus. Next we will decrypt the documents.

Step 2: We are going to following instructions here: GitHub - Googulator/TeslaCrack: Decryptor for the TeslaCrypt malware.

We will use a python script to identify the AES public key and then find the factors of that number and then identify the private key and decrypt one of the files. Once we have a successful decryption then we can apply it to the entire computer. Use another computer with as fast as and as many processors as possible.

Step 3: Download https://github.com/Googulator/TeslaCrack/archive/master.zip and extract to C:\decrypt

Step 4: Copy one of the encrypted VVV documents to this folder.

Step 5: Download Python 2.7 64-bit release. https://www.python.org.

Install as administrator and make sure to select the option to add Python to your PATH during the install.

Step 6: At a command prompt with administrative rights, execute the following commands:

python -c “import urllib2; print urllib2.urlopen(‘https://bootstrap.pypa.io/ez_setup.py’).read()” | python
easy_install pip
pip install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1-cp27-none-win_amd64.whl
pip install ecdsa (optional, needed only for unfactor-ecdsa.py)

Step 7: Run: python teslacrack.py .

My results:
Cannot decrypt ./VENDOR LISTING BY CATAGORY.xlsx.vvv, unknown key
Software has encountered the following unknown AES keys, please crack them first using msieve:
A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0
found in ./VENDOR LISTING BY CATAGORY.xlsx.vvv
Alternatively, you can crack the following Bitcoin key(s) using msieve, and use them with TeslaDecoder:
5ECA19D475A313AC3DEF915CE6FA37BE012CD1676590C8F253135A3AD92345B78C32C46DB3246ED84A7B9A8C62F1A13D2AF08F09FFB3551701E7B75CCC79457C
found in ./VENDOR LISTING BY CATAGORY.xlsx.vvv

Step 8: Copy the first number to the clipboard

I copied A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0

Step 9: Go to Mobilefish.com - Big number converter and convert that Hexadecimal number to decimal.

This one converted to: 8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640

Step 10: Now we need to factorize that number. Find all the factors. Go to http://factordb.com/ and enter your number.

I entered 8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640 and press factorize. If you are lucky it will show FF on the left side. That means fully factorized and it will list all the factors. If that is the case, you wont need to use yafu below. You can skip down to unfactor.py.
If it shows CF or C, then we need to run yafu to find the factors first. As you find the factors, you can come back to factordb.com pull up your number and enter the factors in the Report field at the bottom. This is what I did for my number and now it shows as FF. This is the part that can a few hours or days or weeks depending on the complexity of the number. When done we will have a bunch of numbers (factors) that we will use to get the private key. I tried msieve, yafu, and variations of these. I had huge issues getting this to work. Some of the problem was the instructions are incomplete and didn’t give the full syntax. Finally I got yafu to work. Here is what I did.

Step 11: Download GGFNS.zip from this link Teslacrypt 2.0 Factoring - mersenneforum.org and unzip into C:\ggnfs-bin

Step 12: Download yafu-x64 from yafu download | SourceForge.net and unzip into C:\ggnfs-bin

Step 13: Open a command prompt and go to C:\ggnfs-bin

Step 14: Run yafu-x64.exe “tune ()”

Step 15: Edit yafu.ini. Change “ggnfs_dir=…/ggnfs-bin/” to “ggnfs_dir=C:/ggnfs-bin/” (without quotes), save, and close.

Step 16: Run yafu-x64.exe “factor(YOUR DECIMAL NUMBER HERE)” –v –threads 4

example: yafu-x64.exe “factor(8443554284208758706290725803426642738777516291375882082881197977752270634322152168104703798454983966849000112082164921264407639940139993317228747401502640)” –v –threads 4

Step 17: This is the part that takes forever. When done it will list all the factors in the factor.log file. Open that file.

At the start of your factorization it will find the small factors quickly and listed as: div: found prime factor = x. Search the log file for “found prime factor”
Also search for “prp”. It will find lines similar to this: prp32 = 25647545727466257054833379561743

Step 18: Report all factors found into your number at http://factordb.com. Once you have all the numbers reported, submitted, it will change to FF. You then know you have all the factors.

Step 19: Go to the command prompt and to C:\decrypt

Step 20: Run python unfactor-ecdsa.py <primes from previous step, separated by spaces>

It will output your AES private key. Here is what mine looked like:

unfactor-ecdsa.py VENDOR.xlsx.vvv 2 2 2 2 3 5 367 12757 25647545727466257054833379561743 75938537910569673895890812481364802067167 3858259146292441335085163995598583072203543699186432807503634945432314399
Found AES private key: b’\xbd\xa2\x54\x3a\x21\x75\xb9\xf3\x0d\xf6\xf3\x09\x60\xec\x08\x2f\x3e\xc5\xef\x61\xd4\x03\xa3\x5b\xc1\x47\x7e\x10\x47\x0a\x7c\x88’ (BDA2543A2175B9F30DF6F30960EC082F3EC5EF61D403A35BC1477E10470A7C88)

Step 21: Edit teslacrack.py and add your public and private key to the known keys

On line 24 I added:

‘A1373BCF4EDB39BCFEDD484FA86A82498410A7E83456D8E80E52966F6717CB8B8E5846BBC7A540647AE770FEDEAA0E7F8A0466082156DB332A757407A12C9FB0’: b’\xbd\xa2\x54\x3a\x21\x75\xb9\xf3\x0d\xf6\xf3\x09\x60\xec\x08\x2f\x3e\xc5\xef\x61\xd4\x03\xa3\x5b\xc1\x47\x7e\x10\x47\x0a\x7c\x88’,

Step 22: Run python teslacrack.py .

It will decrypt the file.

Step 23: Run python teslacrack.py C:\ to decrypt the whole drive.

Step 24: Once done, search for all “.vvv” and “howto_restore” files and move or delete them.

It should now be clean and decrypted

Step 25: Backup, Backup, Backup!

Make a backup of your important files and your whole system if possible. Then in the future if something like this happens you can restore from backup instead of spending countless hours trying recover them.

Hopefully these additional steps will help others. There were a lot of steps plenty of issues as I went along. So, if you not something that is incomplete let me know and I will update these steps. Perhaps together we can make this how-to even more complete. Thanks!

34 Spice ups
2

Thanks for detailed the write up. You never know when one will need this.

3

While awesome that you have written this up, I’m glad we have a policy in place that states user loss of files on their machines is not my problem…Loss of files on the File Server is a different situation on the other hand.

4

I had two desktops affected with this, Webroot stopped it from being worse than it was. Files affected on file server(s) were deleted and restored from backup.

5

Very detailed write up. Thanks for sharing. Hopefully I never need this bookmark, but in case I do…

6

Thanks for the write up. Fucking TRAVESTY they used Tesla’s name in any association with this garbage!!!

7

They must have pushed that far and wide recently. We just had a client get hit with it last week

8

Thanks for sharing, i will bookmark this tab it will helps in future if we are getting affected with this.

9

Step 25: Tell user, “Back it up, buttercup.” then back-up the back-up.

10

I was glad to have an opportunity to give back what I can. DeonBlack_IMR, thanks for the reminder. I added backing up to step 25.

11

that is really interesting. I think I would definitely prefer to nuke from orbit but nice to know recovery is possible.