Recovering TeslaCrypt and Alpha Cryptr .ezz files?

[mikeuk]

I have been somewhat successful in removing this malware whereby AVG and Malwarebytes both no longer see it as being a threat and can't find any trace on the system but all of the files still have the extension .ezz and no matter what I try I am unable to 'decrypt?' them.

I have run both AVG and malware bytes repeatedly in safe and normal mode until nothing is detected. AVG first picked it up as Trojan Horse Crypt4.YIW within AppData\Local\xizis.exe on the PC.

I have also found the key.dat file in AppData > Roaming which I believe is the encryption key used.

After some web trawling I have tried the website https://www.decryptcryptolocker.com/ and uploaded one of the .ezz files but it says the file is not encrypted.

I have also installed and run TeslaDecrypt which finds the key.dat file and runs a scan of my whole system and says it is okay and the scan has completed but still the files are the same name and when you try to open them, Word says that it is unable to open the file and for jpg it says the file may be corrupt or damaged.

The system does not have shadow copies running and also system restore was disabled.

I have been searching all over but I can't seem to find a way of recovering the files back to how they were.

May anybody know if these files are recoverable please?

Thank you in advance.

[Britec]

Try renaming the .ezz to .ecc, then run Cisco's Teslacrypt fix, that should work, if it don't work you may be shit out of luck.

Also this might be helpful teslacrypt ransomware changes its name to alpha crypt 

[mikeuk]

(05-24-2015, 09:56 PM)Britec Wrote:  Try renaming the .ezz to .ecc, then run Cisco's Teslacrypt fix, that should work, if it don't work you may be shit out of luck.

Also this might be helpful teslacrypt ransomware changes its name to alpha crypt 

I have already tried this as well. I did it on a few test files, ran the software and it still complained when I tried to open them.

[Britec]

This article may help you resolve your issue

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

[mikeuk]

(05-24-2015, 10:00 PM)Britec Wrote:  This article may help you resolve your issue

TeslaCrypt and Alpha Crypt Ransomware Information Guide and FAQ

This is interesting as it tells me that the decryption key is not present in the file. I though key.dat had the key.

It says decryption key was destroyed by TeslaCrypt.

In this case do you know where the key may be or what extension it could have?

Thank you

[Britec]

That's all the information I have right now.

[mikeuk]

(05-24-2015, 10:28 PM)Britec Wrote:  That's all the information I have right now.

In other words do you think the work is lost and that is everything there is to try?

[Britec]

I think its possible you can recover your data, if you follow that guide, if it don't work, then at this time...NO your data is lost.
Remember the golden rule. Backup...Backup...Backup

You could try asking here new teslacrypt ransomware sets its scope on video gamers

[mikeuk]

(05-24-2015, 10:59 PM)Britec Wrote:  I think its possible you can recover your data, if you follow that guide, if it don't work, then at this time...NO your data is lost.
Remember the golden rule. Backup...Backup...Backup

Yes I am just reading through https://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/page-2 and can see that over time it may be feasible but right now no as the key has been deleted.

Thankfully (no consolation for the owner), the laptop is not mine. I was asked if I could take a look at as they suspected something had gone wrong. They were indeed correct but have no idea over the scale of how 'wrong' it had gone!

[Britec]

Its gutting when something like this happens. People just don't backup enough, if they backup on a regular basis, it would not be such a pain. The only pain would be reinstalling Windows, but at least you would have your data. Still it might teach them to backup in the future. 

All the best with your quest.